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Executive Summary 


On September 7, 2017, Equifax announced a cybersecurity incident affecting 143 million 
consumers. This number eventually grew to 148 million—nearly half the U.S. population and 56 
percent of American adults. This staff report explains the circumstances of the cyberattack 
against Equifax, one of the largest consumer reporting agencies (CRA) in the world. 

Equifax is one of several large CRAs in the United States. CRAs gather consumer data, 
analyze it to create credit scores and detailed reports, and then sell the reports to third parties. 
Consumers do not voluntarily provide information to CRAs, nor do they have the ability to opt 
out of this information collection process. Though CRAs provide a service in facilitating 
information sharing for financial transactions, they do so by amassing large amounts of sensitive 
personal data—a high-value target for cyber criminals. 1 Consequently, CRAs have a heightened 
responsibility to protect consumer data by providing best-in-class data security. 

In 2005, former Equifax Chief Executive Officer (CEO) Richard Smith embarked on an 
aggressive growth strategy, leading to the acquisition of multiple companies, information 
technology (IT) systems, and data. While the acquisition strategy was successful for Equifax’s 
bottom line and stock price, this growth brought increasing complexity to Equifax’s IT systems, 
and expanded data security risks. In August 2017, three weeks before Equifax publicly 
announced the breach, Smith boasted Equifax was managing “almost 1,200 times” the amount of 
data held in the Library of Congress every day. 2 

Equifax, however, failed to implement an adequate security program to protect this 
sensitive data. As a result, Equifax allowed one of the largest data breaches in U.S. history. Such 
a breach was entirely preventable. 

On March 7, 2017, a critical vulnerability in the Apache Struts software was publicly 
disclosed. Equifax used Apache Struts to run certain applications on legacy operating systems. 
The following day, the Department of Homeland Security alerted Equifax to this critical 
vulnerability. Equifax’s Global Threat and Vulnerability Management (GTVM) team emailed 
this alert to over 400 people on March 9, instructing anyone who had Apache Struts running on 
their system to apply the necessary patch within 48 hours. The Equifax GTVM team also held a 
March 16 meeting about this vulnerability. 

Equifax, however, did not fully patch its systems. Equifax’s Automated Consumer 
Interview System (ACIS), a custom-built internet-facing consumer dispute portal developed in 


1 After the Breach: The Monetization and Illicit Use of Stolen Data: Hearing Before the Subcomm. on Terrorism & 
Illicit Finance of the H. Comm, on Financial Sen’s., 115th Cong. (2018) (testimony of Lillian Ablon, RAND 
Corporation); see also J.P.Morgan, Cybercrime: This Is War 1 (2013), 
https://www.jpmorgan.com/tss/General/Cybercrime_This_Is_War/1320514323773. 

(“Due to its potentially high value and its use in facilitating fraud through additional channels, PII has become a 
valuable commodity in the world of cybercrime.”). 

2 Richard Smith, Chief Exec. Officer, Equifax, Address to the Terry College of Business at the University of 
Georgia (Aug. 17, 2017), https://www.youtube.com/watch?v=lZzqUnQg-Us. 
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the 1970s, was running a version of Apache Struts containing the vulnerability. Equifax did not 
patch the Apache Struts software located within ACIS, leaving its systems and data exposed. 

On May 13, 2017, attackers began a cyberattack on Equifax. The attack lasted for 76 
days. The attackers dropped “web shells” (a web-based backdoor) to obtain remote control over 
Equifax’s network. They found a file containing unencrypted credentials (usernames and 
passwords), enabling the attackers to access sensitive data outside of the ACIS environment. The 
attackers were able to use these credentials to access 48 unrelated databases. 

Attackers sent 9,000 queries on these 48 databases, successfully locating unencrypted 
personally identifiable information (PII) data 265 times. The attackers transferred this data out of 
the Equifax environment, unbeknownst to Equifax. Equifax did not see the data exfiltration 
because the device used to monitor ACIS network traffic had been inactive for 19 months due to 
an expired security certificate. On July 29, 2017, Equifax updated the expired certificate and 
immediately noticed suspicious web traffic. 

After updating the security certificate, Equifax employees identified suspicious traffic 
from an IP address originating in China. The suspicious traffic exiting the ACIS application 
potentially contained image files related to consumer credit investigations. Equifax discovered it 
was under active attack and immediately launched an incident response effort. 

On July 30, Equifax identified several ACIS code vulnerabilities. Equifax noticed 
additional suspicious traffic from a second IP address owned by a German ISP, but leased to a 
Chinese provider. These red flags caused Equifax to shut down the ACIS web portal for 
emergency maintenance. The cyberattack concluded when ACIS was taken offline. 

On July 31, Chief Information Officer (CIO) David Webb informed Richard Smith of the 
cyber incident. Equifax suspected the attackers exploited the Apache Struts vulnerability during 
the data breach. On August 2, Equifax engaged the cybersecurity firm Mandiant to conduct an 
extensive forensic investigation. Equifax also contacted outside counsel and the Federal Bureau 
of Investigation to alert them to the cyber incident. 

By late August 2017, Mandiant confirmed attackers accessed a significant volume of 
consumer PII. Equifax launched an effort to prepare for public notice of the breach. As part of 
this effort, Equifax created a website for individuals to find out whether they were affected by 
the data breach and, if so, to register for credit monitoring and identity theft services. Equifax 
also began efforts to stand up a call center capability staffed by 1,500 temporary employees. On 
September 4, Equifax and Mandiant completed a list of 143 million consumers affected by the 
data breach, a number that would later grow to 148 million. 

When Equifax informed the public of the breach on September 7, the company was 
unprepared to support the large number of affected consumers. The dedicated breach website and 
call centers were immediately overwhelmed, and consumers were not able to obtain timely 
information about whether they were affected and how they could obtain identity protection 
services. 
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Equifax should have addressed at least two points of failure to mitigate, or even prevent, 
this data breach. First, a lack of accountability and no clear lines of authority in Equifax’s IT 
management structure existed, leading to an execution gap between IT policy development and 
operation. This also restricted the company’s implementation of other security initiatives in a 
comprehensive and timely manner. As an example, Equifax had allowed over 300 security 
certificates to expire, including 79 certificates for monitoring business critical domains. 

Second, Equifax’s aggressive growth strategy and accumulation of data resulted in a 
complex IT environment. Equifax ran a number of its most critical IT applications on custom- 
built legacy systems. Both the complexity and antiquated nature of Equifax’s IT systems made 
IT security especially challenging. Equifax recognized the inherent security risks of operating 
legacy IT systems because Equifax had begun a legacy infrastructure modernization effort. This 
effort, however, came too late to prevent the breach. 

Equifax held several officials accountable for the data breach. The CIO and Chief 
Security Officer (CSO) both took early retirements on September 15, eight days after the public 
announcement. Equifax’s CEO Richard Smith left the company on September 26. On October 2 
Equifax terminated Graeme Payne, Senior Vice President and Chief Information Officer for 
Global Corporate Platforms, for failing to forward an email regarding the Apache Struts 
vulnerability. Payne, a highly-rated employee for seven years and a senior manager of nearly 400 
people, managed a number of IT systems within Equifax, including ACIS. On October 3, 

Richard Smith testified before Congress blaming human error and a failure to communicate the 
need to apply a patch as underlying reasons for the breach. 

Equifax failed to fully appreciate and mitigate its cybersecurity risks. Had the company 
taken action to address its observable security issues prior to this cyberattack, the data breach 
could have been prevented. 
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Commonly Used Names and Acronyms 


Chief Executive Officer 

Mark Begor, April 2018 - present 

Paulino do Rego Barros Jr., Interim, September 2017 - March 2018 

Richard Smith, December 2005 - September 2017 

Chief Information Officer 

(now known as Chief Technology Officer) 

Bryson Koehler, June 2018 - present 

David Webb, January 2010 - September 2017 

Robert Webb, November 2004 - July 2009 

Chief Security Officer 

(now known as Chief Information Security Officer) 

Jamil Farshchi, February 2018 - present 

Russ Ayres, Deputy, February 2018 - present 

Interim, September 2017 - February 2018 

Susan Mauldin, August 2013 - September 2017 

Tony Spinelli, September 2005 - March 2013 

Senior Equifax Officials 

John J. Kelley, Chief Legal Officer, January 2013 - present 

Graeme Payne, Senior Vice President and Chief Information Officer for Global Corporate 
Platforms, March 2011 - October 2017 


ACIS 

Automated Consumer Interview System 

CFBP 

Consumer Financial Protection Bureau 

CIO 

Chief Information Officer 

CRA 

Consumer Reporting Agency 

CSO 

Chief Security Officer 

FCRA 

Fair Credit Reporting Act 

FTC 

U.S. Federal Trade Commission 

GLBA 

Gramm-Leach-Bliley Act 

GTVM 

Global Threat and Vulnerability Management 

NIST 

National Institute of Standards and Technology 

PII 

Personally Identifiable Information 

SEC 

U.S. Securities and Exchange Commission 

SSL 

Secure Sockets Layer 

US-CERT 

U.S. Computer Emergency Readiness Team 
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Timeline of Key Events 


March 7, 2017 

• Apache Struts Project Management Committee announces the CVE-2017-5638 
vulnerability affecting Apache Struts and releases the patch. 3 

March 8, 2017 

• The United States Computer Emergency Readiness Team (US-CERT) sends Equifax an 
alert to patch the particular vulnerability in Apache Struts software. 4 

March 9, 2017 

• Equifax’s Global Threat and Vulnerability Management (GTVM) team disseminates US- 
CERT notification internally by email requesting responsible personnel apply the critical 
patch within 48 hours. 5 

March 10, 2017 

• First evidence of attackers exploiting the Apache Struts vulnerability on servers 
connected to the Equifax network. 6 

March 15, 2017 

• Equifax’s Security team runs scans to identify any systems containing the Apache Struts 
vulnerability. The scans did not detect the vulnerability on any externally facing systems. 7 


3 Apache Software Foundation, Response From The Apache Software Foundation to Questions from US House 
Committee on Energy and Commerce Regarding Equifax Data Breach , APACHE SOFTWARE FOUNDATION BLOG 
(Oct. 3, 2017), https://blogs.apache.org/foundation/entry/responses-to-questions-from-us. 

4 Email from U.S. Computer Emergency Readiness Team, to GTVM, Equifax (Mar. 8, 2017, 7:31:16 PM) (on file 
with Committee, EFXCONG-SSTOGROOOOOOO 6 O). 

5 Email from GTVM, Equifax, to GTVM Alerts, Equifax (Mar. 9, 2017, 9:31:48 AM) (on file with Committee, 
EFXCONG-SSTOGR000000508). 

6 Briefing by Mandiant, to H. Comm, on Oversight & Gov’t Reform & H. Comm, on Science, Space, & Tech. Staff 
(Aug. 17, 2018). 

7 Email from Berlene Herren, Vice President Cyber Threat Resistance, Equifax, to Jamie Fike, Workforce Solutions, 
Equifax (Mar. 15, 2017, 1:56:38 PM) (on file with Committee, EFXCONG-SSTOGR000000510); see also 
Oversight of the Equifax Data Breach: Answers for Consumers: Hearing Before the Subcomm. on Digital 
Commerce & Consumer Prot. of the H. Comm, on Energy & Commerce, 115th Cong. (2017) (prepared written 
statement of Richard Smith, Former Chief Exec. Officer, Equifax). 
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May 13, 2017 


• Attackers enter the Equifax network through the Apache Struts vulnerability located 
within the Automated Consumer Interview System (ACIS) application and drop web 
shells onto the Equifax system. 8 

May 13, 2017 - July 30, 2017 

• Timeframe during which hackers gained unauthorized access to Equifax databases 
through an Equifax legacy environment. 9 Attackers perform approximately 9,000 queries 
to sensitive databases within Equifax system. 10 

July 29, 2017 

• Equifax renews the expired security certificate for the device monitoring ACIS network 
traffic. The certificate was expired for 19 months. 

• Equifax’s Security team observes suspicious network traffic associated with its ACIS 
web application. In response, Equifax blocks the suspicious traffic. 11 

July 30, 2017 

• Equifax’s Security team continues to monitor network traffic and observes additional 
suspicious activity. Equifax takes the ACIS application offline. 12 

• Graeme Payne, Senior Vice President and Chief Information Officer for Global 
Corporate Platforms, informs David Webb, Chief Information Officer, of the security 
incident. 13 


8 Briefing by Mandiant, to H. Comm, on Oversight & Gov’t Reform & H. Comm, on Science, Space, & Tech. Staff 
(Aug. 17, 2018). 

9 Mandiant, Mandiant Report 1, 2 (2017) (on file with Committee). 

10 Briefing by Mandiant, to H. Comm, on Oversight & Gov’t Reform & H. Comm, on Science, Space, & Tech. Staff 
(Aug. 17, 2018). 

11 Id. See also Press Release, Equifax, Equifax Releases Details on Cybersecurity Incident, Announces Personnel 
Changes (Sept. 15, 2017), https://investor.equifax.com/news-and-events/news/2017/09-15-2017-224018832. 

12 Briefing by Mandiant, to H. Comm, on Oversight & Gov’t Reform & H. Comm, on Science, Space, & Tech. Staff 
(Aug. 17, 2018). 

13 Email from Graeme Payne, Senior Vice President, Equifax, to David Webb, Chief Info. Officer, Equifax (July 30, 
2017, 7:16:00 PM) (on file with Committee, EFXCONG-SSTOGR000043861). 
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July 31, 2017 


• Equifax staff determines personally identifiable information (PII) may have been 
exfiltrated as a part of the intrusion. 14 

• David Webb informs Chief Executive Officer Richard Smith of the security incident. 15 

August 2, 201 7 

• Equifax engages law firm King and Spalding and hires cybersecurity firm Mandiant to 
conduct a forensic review of the breach. 16 Equifax also informs the Federal Bureau of 
Investigation. 17 

August 11, 2017 

• Mandiant determines hackers may have accessed a database table containing large 
amounts of consumers’ PII. 18 

August 17, 2017 

• Equifax holds a senior leadership team meeting to discuss Mandiant’s preliminary 
findings from the data breach investigation. 19 

August 24, 2017 

• Mandiant confirms volume of PII accessed and begins to develop an approach with 
Equifax database owners to determine the identity of affected consumers. 20 


14 Email from Corporate Security Support, Equifax, to Joe Sanders, Senior Director for Security, GTVM, Equifax 
(July 31, 2017, 12:00:03 AM) (on file with Committee, EFXCONG-SSTOGR000000077-EFXCONG- 

S S TOGR000000081). 

15 David Webb Transcribed Interview 32-22, May 30, 2018 (on file with Committee) [hereinafter Webb Transcribed 
Interview]. 

16 Mandiant, Mandiant Report 1 (2017) (on file with Committee). See also Oversight of the Equifax Data Breach: 
Answers for Consumers: Hearing Before the Subcomm. on Digital Commerce & Consumer Prot. Of the H. Comm, 
on Energy & Commerce, 115th Cong. (2017) (prepared written statement of Richard Smith, Former Chief Exec. 
Officer, Equifax). 

17 Oversight of the Equifax Data Breach: Answers for Consumers: Hearing Before the Subcomm. on Digital 
Commerce & Consumer Prot. Of the H. Comm, on Energy & Commerce, 115th Cong. (2017) (prepared written 
statement of Richard Smith, Former Chief Exec. Officer, Equifax). 

18 Id. See also Briefing by Mandiant, to H. Comm, on Oversight & Gov’t Reform & H. Comm, on Science, Space, & 
Tech. Staff (Aug. 17, 2018). 

19 Susan Mauldin Transcribed Interview 118, June 20, 2018 (on file with Committee) [hereinafter Mauldin 
Transcribed Interview], 

20 Briefing by Mandiant, to H. Comm, on Oversight & Gov’t Reform & H. Comm, on Science, Space, & Tech. Staff 
(Aug. 17, 2018). 
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August 24-25, 2017 


• CEO Richard Smith holds telephonic meetings with Equifax Board of Directors and 
informs the full Board of the breach. 21 

September 4, 201 7 

• Based on Mandiant’s investigation, Equifax compiles a list of 143 million U.S. 
consumers whose personal information may have been compromised. 22 

September 7, 2017 

• Equifax notifies the public of the breach. Equifax states the information accessed by 
attackers included names, Social Security numbers, dates of birth, addresses, driver’s 
license numbers, credit card numbers, and dispute documents. 23 

September 14, 2017 

• The House Committee on Oversight and Government Reform and the House Committee 
on Science, Space, and Technology launch an investigation into the Equifax data 
breach. 24 

September 15, 2017 

• Equifax CIO David Webb and CSO Susan Mauldin announce their retirements. 25 

September 26, 2017 

• Equifax CEO Richard Smith announces his retirement. 26 


21 Oversight of the Equifax Data Breach: Answers for Consumers: Hearing Before the Subcomm. on Digital 
Commerce & Consumer Prot. Of the H. Comm, on Energy & Commerce, 115th Cong. (2017) (prepared written 
statement of Richard Smith, Former Chief Exec. Officer, Equifax). 

22 Id. 

23 Press Release, Equifax, Equifax Announces Cybersecurity Incident Involving Consumer Information (Sept. 7, 
2017), https://investor.equifax.com/news-and-events/news/2017/09-07-2017-213000628. 

24 Letter from Rep. Trey Gowdy, Chairman, H. Comm, on Oversight & Gov’t Reform, Rep. Lamar Smith, 

Chairman, H. Comm, on Science, Space & Tech., to Richard Smith, Chairman & Chief Exec. Officer, Equifax 
(Sept. 14, 2017) (on file with Committee). 

25 Press Release, Equifax, Equifax Releases Details on Cybersecurity Incident, Announces Personnel Changes (Sept. 
15, 2017), https://investor.equifax.com/news-and-events/news/2017/09-15-2017-224018832. 

26 Press Release, Equifax, Equifax Chairman, CEO, Richard Smith Retires; Board of Directors Appoints Current 
Board Member Mark Feidler Chairman; Paulino do Rego Barros, Jr. Appointed Interim CEO; Company to Initiate 
CEO Search (Sept. 26, 2017), https://investor.equifax.com/news-and-events/news/2017/09-26-2017-140531280. 
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October 2, 2017 


• Mandiant completes its forensic investigation, concluding the potential number of victims 
was 2.5 million more than originally reported. 27 

• Equifax terminates Graeme Payne for failing to forward the March 9 GTVM email alert 
regarding the patch for the Apache Struts vulnerability. 28 

October 3, 201 7 

• Richard Smith testifies before the Subcommittee on Digital Commerce and Consumer 
Protection of the House Committee on Energy and Commerce. 29 

March 1, 2018 

• Equifax releases updated information on the 2017 breach, indicating the attackers 
accessed information including names and partial driver’s license information of an 
additional 2.4 million U.S. consumers. 30 


27 Briefing by Mandiant, to H. Comm, on Oversight & Gov’t Reform & H. Comm, on Science, Space, & Tech. Staff 
(Aug. 17, 2018). 

28 Graeme Payne Transcribed Interview 147-148, Aug. 10, 2018 (on file with Committee) [hereinafter Payne 
Transcribed Interview], 

29 Oversight of the Equifax Data Breach: Answers for Consumers: Hearing Before the Subcomm. on Digital 
Commerce & Consumer Prot. of the H. Comm, on Energy & Commerce, 115th Cong. (2017). 

30 Equifax Releases Updated Information on 2017 Cybersecurity Incident, EQUIFAX (Mar. 1, 2018), 
https://www.equifaxsecurity2017.eom/2018/03/01/equifax-releases-updated-information-2017-cybersecurity- 
incident/. 
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I. The Consumer Reporting Agency Business Model and Use 
of Personally Identifiable Information 

A. Consumer Reporting Agency Business Model 

Consumer reporting agencies gather consumer information, analyze it to create credit 
scores and detailed reports, and then sell the consumer reports to third parties (see Figure l). 31 
The consumer reporting agency (CRA) business model allows CRAs to compile and profit off 
the sensitive data of American consumers. 32 The three national CRAs are Equifax, Experian, and 
TransUnion, and there are approximately 400 regional and specialty CRAs which focus on 
collecting information within a specific industry, such as information related to payday loans, 
checking accounts, or utilities. 33 

Individual consumers do not voluntarily provide data to CRAs. Rather, CRAs actively 
gather consumers’ personal information from furnishers. 34 This information may include 
historical data about credit repayment, tenant payment, employment, insurance claims, arrests, 
bankruptcies, check writing, and account management. 35 CRAs package, analyze, and sell this 
information to businesses. 36 An individual does not have the opportunity to “opt out” of this 
process. 

Businesses use consumer data provided by CRAs to identify and manage financial and 
transactional risks. 37 For example, lenders rely on credit reports and scores when determining 
whether to grant a loan and the corresponding interest rate. Insurance companies use the 
information to set policy premiums. Employers may use the information to screen prospective 
employees for risk of fraud. Utility and telecommunication service providers use the reports to 
verify the identity of customers and determine down payment requirements for new customers. 

Federal agencies use identity verification services provided by one or more of the CRAs 
when enrolling new applicants for federal benefits and services. 38 The Internal Revenue Service 


31 Fair Credit Reporting Act, Pub. L. No. 91-508, Title VI, § 604, 84 Stat. 1128 (1970) (amending The Consumer 
Credit Protection Act) (codified as amended at 15 U.S.C. §§ 1681-1681x). 

32 Consumer reporting agencies are also referred to as “credit reporting agencies.” 

33 U.S. Gov’t Accountability Office, GAO-18-559, Data Protection Actions Taken by Equifax and 
Federal Agencies in Response to the 2017 Breach 1,18 (2018) [hereinafter GAO Equifax Data Breach Report]; 
see also N. Eric Weiss, Cong. Research Serv., IN10792, The Equifax Data Breach: An Overview and 
Issues for Congress (2018), 

http://www.crs.gov/Reports/IN10792?source=search&guid=9873256117cl48fbbe29d0ca59633c20&index=3 
[hereinafter CRS Equifax Data Breach Overview], 

34 A furnisher is a company who provides consumer information to CRAs. Examples of furnishers include banks, 
thrifts, credit unions, savings and loan institutions, mortgage lenders, credit card issuers, collection agencies, retail 
installment lenders, and auto finance lenders. See Duties of Furnishers of Information to Consumer Reporting 
Agencies, 16 C.F.R. § 660.2 (2009). 

35 Darryl Getter, Cong. Research Serv., R44125, Consumer and Credit Reporting, Scoring, and 
Related Policy Issues 2 (2018), http://www.crs.gov/reports/pdf/R44125 [hereinafter CRS Consumer and Credit 
Reporting Issues], 

36 CRS Consumer and Credit Reporting Issues at 2. 

31 Id. atl. 

38 GAO Equifax Data Breach Report at 13. 
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(IRS), for example, awarded Equifax a $7.25 million contract for taxpayer identity verification 
and validation services after the 2017 data breach had been publicly announced. 39 


Your Exposure to Equifax 


Borrowers may never directly interact with a credit-reporting 
company. They deal directly with a lender, who in turn uses 
data from the companies. 

Borrowers provide personal 
information to lenders. 

. Your data ► 

4 . & . 



Consumers not seeking a loan can tell 
credit-reporting companies to freeze 
their reports to protect their data. 

Your data 




Your data 


Your data 


Equifax, Experian and TransUnion 

Lenders report information about their 
borrowers to credit companies like 
Equifax. They also get access to 
information on borrowers' other debts. 



FICO score 

Your data is entered into a formula, 
owned by Fair Isaac Corp. to make a 
FICO score, which is used by lenders 
to help determine who to lend to. 

THE WALL STREET JOURNAL 


Figure 1: Flow Equifax Receives Your Personal Information 4 


Each CRA has its own model for evaluating the information in an individual’s credit 
report and assigning a credit score. A credit score is a numeric metric used to predict a variety of 
financial behaviors. 41 Credit score models measure the following factors in determining a credit 
score: (1) payment history; (2) credit utilization; (3) length of credit history; (4) new credit 
accounts or requests; and (5) credit mix. 42 The CRAs analyze this information and create an 
individual’s credit score. 43 CRAs tend to collect the same information but may choose to weigh 


39 Alfred Ng, Why Equifax Won An IRS Contract Despite A Massive Hack , CNet (Oct. 3, 2017), 
https://www.cnet.com/news/irs-gives-equifax-7-25-million-contract-to-prevent-tax-fraud/. 

Security concerns eventually led the IRS to cancel the contract. See John McCrank, IRS Puts Equifax Contract on 
Hold During Security Review, Reuters (Oct. 13, 2017), https://www.reuters.com/article/us-equifax-cyber/irs-puts- 
equifax-contract-on-hold-during-security-review-idUSKBNlCI2G9. 

40 AnnaMaria Andriotis et al., ‘We’ve Been Breached’: Inside the Equifax Hack, Wall Street Journal (Sept. 18, 
2017), https://www.wsj.com/articles/weve-been-breached-inside-the-equifax-hack-1505693318. 

41 CRS Consumer and Credit Reporting Issues at 4. 

42 Id. at 6. 

43 Id. 


14 
























or value certain items differently. As a result, an individual’s credit score may vary between 
Equifax, Experian, and TransUnion. 44 


Consumer reporting agencies sell these credit scores, and the corresponding detailed 
consumer report, to a variety of businesses for specific purposes. For example, when a customer 
applies for a loan, a CRA can sell the customer’s credit score and detailed report to the potential 
lender. The potential lender can use the information contained about the customer within the 
CRA’s report to decide whether to loan the money or not; what interest rate to apply; and if a 
down payment should be required. 45 

The nature of the CRA business model gives Equifax a deep and granular view of 
consumers’ lives. Combining information from numerous data sources allows Equifax to likely 
know a person’s immigration status, income, wealth, assets, bank balances, current and past 
addresses, employer, rental history, utility bills, and spending habits. 46 Due to the intrusive 
amount of data held by CRAs, these companies have an obligation to have best-in-class data 
protection and cybersecurity practices and tools in place. 

Equifax, however, did not have these best-in-class protections in place. 

B. Equifax - Aggressive Growth and Increasing Risk in Data Intrusive 

Industry 

At the beginning of his tenure as Equifax CEO, Richard Smith embarked on an ambitious 
growth strategy. When the 2017 data breach occurred, Equifax had credit information on 820 
million consumers and 91 million businesses. This massive amount of sensitive information 
made Equifax a prime target for hackers, and Equifax was unprepared for these security risks. 

1. Equifax Corporate Profile 

Equifax was founded in 1899 in Atlanta, Georgia, and became a public company in 
1965. 47 The company has 10,300 employees worldwide and operates in 24 countries within 
North America, Central and South America, Europe, and the Asia Pacific region. 48 Equifax 
maintains credit information on 820 million consumers and more than 91 million businesses. 49 It 


44 CRS Consumer and Credit Reporting Issues at 6. See also How Do Credit Reporting Agencies Get Their 
Information, EQUIFAX (July 2, 2014), https://blog.equifax.com/credit/how-do-credit-reporting-agencies-get-their- 
information/. 

45 CRS Consumer and Credit Reporting Issues at 5-6. 

46 Russel Grantham, Equifax’s Rapid Growth Probably Added To Its Hacking Risk, Experts Say, The Atlanta 
Journal Constitution, (Sept. 21, 2017), https://www.myajc.com/business/equifax-rapid-growth-probably-added- 
its-hacking-risk-experts-say/lq8jU65GAOy45UgC4RodfK/. 

47 Equifax, 2017 Annual Report (Form 10-K) (Mar. 1, 2018), https://investor.equifax.eom/~/media/Files/E/Equifax - 
IR/Annual%20Reports/2017-annual-report.pdf. 

48 Id. 

49 Press Release, Equifax, Equifax Releases Details on Cybersecurity Incident, Announces Personnel Changes (Sept. 
15, 2017), https://investor.equifax.com/news-and-events/news/2017/09-15-2017-224018832. 
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is a member of Standard & Poor’s (S&P) 500® Index, and its common stock is traded on the 
New York Stock Exchange under the symbol EFX. 50 

On October 26, 2018, Equifax had a market value of $11.72 billion dollars. 51 For 
comparison, Equifax’s market value was $17.02 billion the day before Equifax publicly 
announced the 2017 data breach (see Figure 2). 52 Equifax reported $3,362 billion revenue in 
2017. 53 Even with the public criticism following the data breach announcement on September 7, 
2017, the company’s reported 2017 revenue increased 7 percent from 2016. 54 



Figure 2: Equifax’s Share Price (August 2017 - September 2018) 55 

Prior to the company’s third quarter earnings report, Equifax’s stock had nearly returned 
to its pre-breach announcement price - reaching $138.06 in mid-September 2018. 56 Equifax 
issued its third quarter earnings report on October 24, 2018. 57 The report shows Equifax missed 
both its quarterly earnings and revenue estimates with costs relating to the data breach continuing 
to increase. Equifax’s stock price fell more than 17 percent and closed out the week at $97.19. 58 


50 Company Profile, EQUIFAX, https://www.equifax.com/about-equifax/company-profile/ (last visited Oct. 19, 2018). 

51 Equifax Inc. Market Cap, YCHARTS, https://ycharts.com/companies/EFX/market_cap (last visited Oct. 27, 2018). 

52 Id. 

53 Press Release, Equifax, Equifax Releases Fourth Quarter Results (Mar. 1, 2018), 
https://investor.equifax.com/news-and-events/news/2018/03-01-2018-213648628. 

54 Id. 

55 Ivan Levingston & Jennifer Surane, Equifax Breach a Year Later: Record Profits, Share Revival, BLOOMBERG 
(Sept. 7, 2018), https://www.bloomberg.com/news/articles/2018-09-07/equifax-breach-a-year-later-record-profits- 
share-price-revival. 

56 Id. 

51 Press Release, Equifax, Equifax Releases Third Quarter 2018 Results (Oct. 24, 2018), 
https://investor.equifax.com/news-and-events/news/2018/10-24-2018-212657646. 

58 Equifax Inc. (EFX) Quote, YCHARTS, https://ycharts.com/companies/EFX (last visited Oct. 27, 2018). 
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2. CEO Richard Smith’s Growth Strategy 

Richard Smith was hired as Equifax’s CEO in December 2005 and quickly embarked on 
an ambitious growth strategy. In 2007, Equifax purchased TALX Corporation, an American 
human resources and payroll services company with 142 million employment records, for $1.4 
billion. 59 In 2014, Equifax acquired TDX Group, a United Kingdom-based debt management 
firm, for $327 million. 60 In 2016, the company purchased Australia’s leading credit firm Veda 
Group for $1.9 billion. 61 

In total, Equifax has acquired eighteen companies. 62 The acquisitions made Equifax one 
of the largest private credit-tracking firms in the world. 63 During his tenure as CEO, Smith’s 
growth-by-acquisition strategy resulted in Equifax’s market value more than quadrupling from 
approximately $38 per share in December 2005 to $138 per share in early September 2017. 64 

In an August 17, 2017 speech at the University of Georgia, Smith explained Equifax’s 
business strategy. He stated: 

What do we do? We manage massive amounts of very unique data. In fact, 
we have data on approaching one billion people. We have data on 
approaching 100 million companies around the world. The data assets are 
so large, so unique it is . . . credit data, it is financial data - we have 
something like $20 trillion of wealth data on individuals, so how many 
annuities, mutual funds, equities you own. About $20 trillion on property 
data, so property that you might own - what the value was when you bought 
it, what it’s worth today. Utility data, marketing data, I could go on and on 
and on - but massive amounts of data. 


59 Press Release, TALX, Equifax Announces Agreement to Acquire TALX Corporation in a Transaction Valued at 
$1.4 Billion (Feb. 14, 2007), http://investor.talx.com/phoenix.zhtml?c=74399&p=irol-newsArticle&ID=963591. 

60 Equifax Acquires TDX Group , YAHOO Finance (Jan. 20, 2014), https://finance.yahoo.com/news/equifax- 
ac quire s - tdx-group -165004763. html. 

61 Veda Group held the credit information of approximately 20 million people and 5.7 million organizations in 
Australia and New Zealand. Zach’s Equity Research, Equifax Signs Binding Agreement to Buy Veda Group, 
NASDAQ (Nov. 24, 2015), https://www.nasdaq.com/article/equifax-efx-signs-binding-agreement-to-buy-veda-group- 
cm546765; see also Equifax Completes Acquisition of Australia’s Leading Credit Information Company, Veda 
Group Limited, for Total Consideration of USD $1.9 Billion, PRN Newswire (Feb. 25, 2016), 
https://www.prnewswire.com/news-releases/equifax-completes-acquisition-of-australias-leading-credit-information- 
company-veda-group-limited-for-total-consideration-of-usdl9-billion-300226572.html. 

62 Equifax Acquisitions, CRUNCHBASE, https://www.crunchbase.com/search/acquisitions/field/organizations/num 
_acquisitions/equifax?timeline=true&timelineType=all (last visited Oct. 19, 2018). 

63 Press Release, Equifax, Equifax Releases Fourth Quarter Results (Mar. 1, 2018), 

https://investor.equifax.com/news-and-events/news/2018/03-01-2018-213648628; see also Oversight of the Equifax 
Data Breach: Answers for Consumers: Hearing Before the Subcomm. on Digital Commerce & Consumer Prot. Of 
the H. Comm, on Energy & Commerce, 115th Cong. (2017) (prepared written statement of Richard Smith, Former 
Chief Exec. Officer, Equifax). 

64 Equifax Inc. Market Cap, YCHARTS, https://ycharts.com/companies/EFX/market_cap (last visited Oct. 27, 2018). 
See also AnnaMaria Andriotis & Michael Rapoport, Equifax Hack Upends CEO’s Drive to Be a Data Powerhouse, 
The Wall Street Journal (Sept. 22, 2017), https://www.wsj.com/articles/equifax-hack-upends-ceos-drive-to-be- 
data-powerhouse-1506085201. 
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In fact... if you think about the largest library in the world . . . the Library 
of Congress ... we manage almost 1,200 times that amount of data every 
day. 65 

3. "Massive Amounts” of Data Equals Massive Security Risks 

Having so much personal information in one place made Equifax a prime target for 
hackers. Consumer reporting agencies have been the target of multiple cyberattacks in recent 
years. For example, two large data theft incidents occurred at Experian, one of the three major 
CRAs. In 2013, a man running an identity theft ring tricked an Experian subsidiary - purchased 
in 2012 - into giving him direct access to personal and financial data on more than 200 million 
consumers. 66 The man continued siphoning consumer data for close to ten months after the 
acquisition without Experian’s knowledge. 67 In 2015, Experian disclosed a breach of its 
computer systems where intruders stole approximately 15 million Social Security numbers and 
other data on people who applied for financing from wireless provider T-Mobile. 68 Experian said 
the compromise of an internal server exposed names, dates of birth, addresses, Social Security 
numbers and/or driver’s license numbers. 69 

Equifax was unprepared for these risks. An August 2016 report by the financial index 
provider MSCI Inc. assigned Equifax’s data security efforts a rating of zero out of ten. 70 The 
provider’s April 2017 rating remained unchanged. Both reports concluded: 

Equifax’s data security and privacy measures have proved insufficient in 
mitigating data breach events. The company’s credit reporting business 
faces a high risk of data theft and associated reputational consequences . . . 

. The company’s data and privacy policies are limited in scope and Equifax 
shows no evidence of data breach plans or regular audits of its information 
security policies and systems. 71 


65 Richard Smith, Chief Exec. Officer, Equifax, Address to the Terry College of Business at the University of 
Georgia (Aug. 17, 2017), https://www.youtube.com/watch?v=lZzqUnQg-Us. 

66 Brian Krebs, Experian Lapse Allowed ID Theft Service Access to 200 Million Consumer Records , Krebs ON 
SECURITY (Mar. 10, 2014), https://krebsonsecurity.com/2014/03/experian-lapse-allowed-id-theft-service-to-access- 
200-million-consumer-records/. 

67 Id. 

68 Brian Krebs, Experian Breach Affects 15 Million Customers , Krebs ON SECURITY (Oct. 15, 2015), 
https://krebsonsecurity.com/2015/10/experian-breach-affects-15-million-consumers/. 

69 Id. 

70 See Equifax Cyber Security Scandal, MSCI, https://www.msci.com/equifax (“In August 2016, MSCI ESG Ratings 
identified, and called attention to Equifax Inc.’s poor data security and privacy measures, which led to its downgrade 
to ‘CCC’ - our lowest possible rating.”) (last visited Oct. 29, 2018). 

71 MSCI, Equifax Inc. (last rating date Apr. 7, 2017), 

https://www.msci.com/documents/1296102/6174917/EQUIFAX+INC+ESG+Ratings+Report+Tearsheet.pdf/43d4f9 
4f-f831 -45fb -90c 1 -07 c94021 af62. 
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4. Key Equifax Officials Responsible for IT and Security 


The two individuals leading Equifax’s IT and cybersecurity operations at the time of the 
breach were CIO David Webb and CSO Susan Mauldin. Graeme Payne, Senior Vice President 
and CIO for Global Corporate Platforms at the time of the breach, also played an important role. 
The Committee conducted transcribed interviews with these three individuals during the year¬ 
long investigation into Equifax’s 2017 data beach. 

David Webb first started working in the technology field in 1977. 72 In 2010, Equifax 
hired Webb for the role of CIO where we was responsible for the company’s global IT 
infrastructure. 73 Susan Mauldin began her work in the technology field as a software engineer for 
Hewlett Packard in 1983. 74 After holding IT and security positions at other companies, Mauldin 
was hired as Equifax’s CSO in August 2013 where she was responsible for cybersecurity and 
business resiliency. 75 Graeme Payne held a variety of IT and technology roles at private sector 
firms before joining Equifax in 2011 as the Vice President of IT Risk and Compliance. 76 In July 
2014, Equifax promoted Payne to the position of Senior Vice President and CIO for Global 
Corporate Platforms, where he reported directly to David Webb. 77 In this role Payne was 
“responsible for supporting all the business systems the company used to run the business, 
financial, HR, legal, marketing, sales, anything that was sort of nonrevenue producing across the 
company.” 78 An internal restructuring within the Equifax IT organization occurred in April 2016 
and Payne assumed responsibility for access management, IT-audit coordination, and IT-Security 
coordination. 79 


72 Webb Transcribed Interview at 8. 

73 Id. at 9, 42. 

74 Mauldin Transcribed Interview at 9. 

75 Id. at 9, 13-14. 

76 Payne Transcribed Interview at 9-10. 

77 Id. at 10. 

78 Id. 

79 Id. at 43-44. 
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II. Regulations for Consumer Reporting Agencies 


Consumer reporting agencies are subject to a variety of federal laws designed to protect 
consumer information. Similar to other private sector entities, CRAs must notify consumers 
when information is compromised by a security incident. There is no comprehensive federal law 
mandating an organization’s responsibility to notify affected individuals in the event of a data 
breach. 80 Instead, an entity like Equifax must comply with unique breach notification laws in 
fifty different states. The following discussion highlights existing regulatory and enforcement 
tools, including breach disclosure and notification requirements, applicable to CRAs like 
Equifax. 

A. FTC and CFPB Authority over Consumer Reporting Agencies 

The Federal Trade Commission (FTC) and the Consumer Financial Protection Bureau 
(CFPB) both have enforcement authority over CRAs. 81 The Fair Credit Reporting Act (FCRA) 
and the Gramm-Feach-Bliley Act (GFBA) are the two principal federal laws regulating CRAs. 
The FTC generally has the authority, with certain exceptions, to investigate and bring 
enforcement actions against any organization for violations of laws governing consumer 
information. 82 In 2010, the Dodd-Frank Act gave CFPB enforcement authority over CRAs for 
violations of most of the provisions contained in the FCRA, certain provisions of the GFBA, and 
for unfair, deceptive, or abusive acts or practices under the Dodd-Frank Act. 83 

1. Federal Trade Commission Act 

The FTC pursues data security violations using its authority under Section 5 of the 
Federal Trade Commission Act, which prohibits “unfair or deceptive . . . practices in or affecting 
commerce.” 84 Since 2002, the FTC has brought over 60 cases against companies for engaging in 
unfair or deceptive practices by failing to adequately protect consumers’ personal data. 85 The 
FTC’s principal tool is to bring an enforcement action against a company for unlawful behavior, 
and require the company take affirmative steps to remediate this behavior. Affirmative steps may 
include the implementation of a comprehensive data security program or monetary redress to 
consumers. 86 


80 GAO Equifax Data Breach Report at 18, note 30. 

81 Consumer Financial Protection Bureau (CFPB) is also known as the Bureau of Consumer Financial Protection 
(BCFP). Acting Director Mick Mulvaney began referring to the agency as BCFP in April 2018, consistent with the 
Dodd-Frank Act. This report uses the acronym CFPB because it is better known by the public. 

82 15 U.S.C. § 45(a)(2) (2012). Certain entities, such as banks, credit unions, common carriers, and non-profit 
organizations, are excluded from FTC’s authority under the Federal Trade Commission Act. 

83 Consumer Fin. Prot. Bureau, CFPB Supervision and Examination Process 3 (2018), 
https://www.consumerfmance.gOv/f/documents/cfpb_supervision-and-examination-manual.pdf. 

84 15 U.S.C. § 45(a) (2012). 

85 Fed. Trade Comm’n, Privacy and Data Security Update: January 2017 - December 2017 4 (2018), 
https://www.ftc.gov/system/files/documents/reports/privacy-data-security-update-2017-overview-commissions- 
enforcement-policy-initiatives-consumer/privacy_and_data_security_update_2017.pdf. 

86 Id. at 1. 
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The FTC can seek civil monetary penalties for the violation of an FTC order, the FCRA, 
and other privacy statutes. 87 The Commission may initiate civil actions in federal district court 
for violations of the Federal Trade Commission Act. 88 Federal courts have upheld FTC authority 
to regulate data security practices after a violation of Section 5 of the Federal Trade Commission 
Act has occurred. 89 The FTC does not, however, have specific authority to examine a CRA’s data 
security practices for ongoing compliance with the Federal Trade Commission Act. 90 

2. Dodd-Frank Act 

The 2010 Dodd-Frank Act established the Consumer Financial Protection Bureau 
(CFPB). 91 The Dodd-Frank Act gave CFPB the responsibility to implement and enforce federal 
consumer financial law. 92 The CFPB’s authorities fall into three broad categories: (1) 
supervisory, which includes the power to examine and impose reporting requirements on 
financial institutions; (2) enforcement of various consumer protection laws and regulations, 
including certain provisions in FCRA and GLBA; and (3) rulemaking. 93 Within its rulemaking 
authority, the CFPB acquired the power to issue rules declaring certain acts or practices to be 
unlawful because they are unfair, deceptive, or abusive. 94 

The Dodd-Frank Act gave the CFPB supervisory authority over non-bank entities 
including “larger participants of markets for other consumer financial products or services,” such 
as CRAs with over $7 million in annual receipts from consumer reporting activities. 95 

The CFPB supervisory authority includes requiring reports and conducting examinations 
for purposes of: (1) assessing compliance with the requirements of federal consumer financial 
law; (2) obtaining information about activities and compliance systems or procedures; and (3) 
detecting and assessing risks to consumers and to markets for consumer financial products and 
services. 96 The CFPB monitors some of the larger CRAs on an ongoing basis. This oversight 
tends to focus on compliance with FCRA requirements on the accuracy of consumer information, 
rather than data security. 97 

The Dodd-Frank Act granted the CFPB enforcement authority to bring actions against 
financial institutions for unfair, deceptive, or abusive acts or practices. 98 In March 2016, the 
CFPB announced its first data security enforcement action against a company for making 


87 id. 

88 15 U.S.C. § 57(b); 15 U.S.C. § 45(b). 

89 See, e.g., FTC v. Wyndham Worldwide Corp., 10 F. Supp. 3d 602 (D.N.J. 2014), aff’d , 799 F.3d 236 (3d Cir. 
2015). 

90 Id. 

91 Dodd-Frank Wall Street Reform and Consumer Protection Act, Pub. L. No. 111-203, Title X, 124 Stat. 1376 
(2010). 

92 Dodd-Frank Act § 1002(14). 

93 Consumer Fin. Prot. Bureau, CFPB Supervision and Examination Process at 3. 

94 Dodd-Frank Act § 1031(a), § 1036. 

95 Defining Larger Participants of Consumer Reporting Market, 77 Fed. Reg. 42873 (July 20, 2012). 

96 12 U.S.C. § 5514(b)(1) (2012). 

97 Consumer Fin. Prot. Bureau, CFPB Supervision and Examination Process at 774. 

98 Id. at 3; Dodd-Frank Act § 1031(a), § 1036. 
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allegedly deceptive statements regarding its data security practices." The CFPB has taken past 
enforcement actions against CRAs for deceptive practices, but none of these enforcement actions 
were related to data security. 100 

3. Fair Credit Reporting Act 

Congress enacted the Fair Credit Reporting Act (FCRA) in 1970 to promote the accuracy 
and privacy of information in consumer files kept by CRAs. 101 FCRA imposes certain 
responsibilities upon entities, including CRAs, who compile sensitive consumer information in 
credit reports. 102 For example, FCRA requires CRAs to “adopt reasonable procedures for meeting 
the needs of commerce for consumer credit, personnel, insurance, and other information in a 
manner which is fair and equitable to the consumer, with regard to the confidentiality, accuracy, 
relevancy, and proper utilization of such information.” 103 

Two federal agencies are charged with enforcing FCRA requirements. First, FCRA 
grants FTC the authority to enforce compliance with FCRA requirements. 104 The FTC has 
brought over 100 actions against companies for violating FCRA, and collected over $30 million 
in civil penalties. 105 Second, the Dodd-Frank Act grants the CFPB the authority to enforce 
FCRA. 106 The FTC and the CFPB coordinate their enforcement efforts with a Memorandum of 
Understanding between the agencies. 107 The Memorandum requires one agency to notify the 
other prior to opening an investigation or commencing a legal proceeding for a violation of 
FCRA. 108 


Under FCRA, CRAs must maintain procedures through which consumers can dispute and 
correct inaccurate or incomplete information in their consumer reports. 109 To comply with this 
requirement, Equifax provides three avenues for a consumer to dispute information contained on 
an Equifax credit report: (1) telephonic dispute; (2) written and mailed dispute; and (3) online 


99 Press Release, Consumer Fin. Prot. Bureau, CFPB Takes Action Against Dwolla for Misrepresenting Data 
Security Practices (Mar. 2, 2016), https://www.consumerfinance.gov/about-us/newsroom/cfpb-takes-action-against- 
dwolla-for-misrepresenting-data-security-practices/. 

100 See, e.g., Experian Holdings, Inc., 2017-CFPB-0012 (Mar. 23, 2017) (enforcement action for deceiving 
consumers about the use of credit scores sold to consumers); Equifax Inc., 2017-CFPB-0001 (Jan. 3, 2017) & 
TransUnion Interactive, Inc., 2017-CFPB-0002 (Jan. 3, 2017) (enforcement actions for deceiving consumers about 
the usefulness and actual cost of credit scores sold to consumers, and for luring consumers into costly recurring 
payments for credit products). 

101 See 15 U.S.C. § 1681(a) (2012). 

102 Id. 

103 15 U.S.C. § 1681(b) (2012). 

104 15 U.S.C. § 1681s(a) (2012). 

105 Fed. Trade Comm’n, Privacy and Data Security Update: January 2017 - December 2017 at 5. 

106 Dodd-Frank Wall Street Reform and Consumer Protection Act, Pub. F. No. Ill -203, 124 Stat. 1376 (2010). 

107 Memorandum of Understanding Between the Consumer Financial Protection Bureau and the 
Federal Trade Commission 3-7 (2012), https://www.ftc.gov/system/files/120123ftc-cfpb-mou.pdf; Press Release, 
Fed. Trade Comm’n, FTC, CFPB Reauthorize Memorandum of Understanding (Mar. 12, 2015), 
https://www.ftc.gov/news-events/press-releases/2015/03/ftc-cfpb-reauthorize-memorandum-understanding. 

108 Memorandum of Understanding Between the Consumer Financial Protection Bureau and the 
Federal Trade Commission at 3-7. 

109 15 U.S.C. § 168li(a)-(d)( 1) (2012). 
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disputes received through an internet portal on Equifax’s website. 110 Equifax built the Automated 
Credit Investigation System (ACIS) in the 1970s to handle consumer disputes. 111 When Equifax 
receives a dispute, it locates the consumer’s credit fde and opens an ACIS case to track the 
investigation process. Consumers may submit copies of documents relevant to their credit 
dispute via the ACIS web portal. 

4. Gramm-Leach-Blilev Act 

The Gramm-Leach-Bliley Act (GLBA) requires the FTC to establish standards and 
protections to ensure the security and confidentiality of customer information. 112 Specifically, 
Section 501(b) of GLBA requires the FTC to “establish appropriate standards for the financial 
institutions subject to their jurisdiction relating to administrative, technical, and physical 
safeguards—(1) to insure the security and confidentiality of customer records and information; 
(2) to protect against any anticipated threats or hazards to the security or integrity of such 
records; and (3) to protect against unauthorized access or use of such records or information 
which could result in substantial harm or inconvenience to any customer.” 113 

As part of its implementation of GLBA, the FTC issued the “Safeguards Rule” in 2003. 114 
This rule requires CRAs to develop, implement, and maintain a comprehensive information 
security program to keep customer information secure and confidential. 115 The plan must be 
appropriate to the company’s size and complexity, the nature and scope of its activities, and the 
sensitivity of the customer information it handles. 116 Under this rule, each CRA must: 

1. Designate one or more employees to coordinate its information 
security program; 

2. Identify and assess the risks to customer information in each 
relevant area of the company’s operation, and evaluate the 
effectiveness of the current safeguards for controlling these risks; 

3. Design and implement a safeguards program, and regularly monitor 
and test it; 

4. Select service providers that can maintain appropriate safeguards, 
ensure contracts require them to maintain safeguards, and oversee 
their handling of customer information; and 


110 See Stewart v. Equifax Info. Serv., No. 16-2781, at 5 (D. Kan. Mar. 2, 2018) (order granting summary judgment). 

111 Payne Transcribed Interview at 19-20. 

112 Gramm-Leach-Bliley Act, Pub. L. No. 106-102, Title V, § 501(b), 113 Stat. 1338, 1436 (1999) (codified as 
amended at 15 U.S.C. § 6801(b)). 

113 Id. 

114 16C.F.R. §§ 314.1-5 (2002). 

115 16C.F.R. § 314.3 (2002). 

116 The Fair Credit Reporting Act, Credit Bureaus, and Data Security: Hearing Before the S. Comm, on Banking, 
Housing, & Urban Affairs, 115th Cong. (2018) (prepared written statement of the Federal Trade Commission). 
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5. Evaluate and adjust the program in light of relevant circumstances, 
including changes in the firm’s business or operations, or the results 
of security testing and monitoring. 117 


A year after the FTC enacted the Safeguards Rule, it conducted a nationwide compliance 
sweep to ensure companies were observing these requirements. 118 The FTC took enforcement 
action against companies not in compliance with the Safeguards Rule for failing to protect 
customer’s personal information. 119 The CFPB does not have authority over the Safeguards Rule. 

Under GFBA, financial institutions must comply with the “Privacy Rule.” 120 The Privacy 
Rule requires regulated companies to provide notices to consumers explaining their privacy 
policies and practices. The CFPB is responsible for implementing and enforcing the Privacy 
Rule. 


*** 

In September 2017, both the FTC and CFPB publicly confirmed investigations into the 
Equifax data breach. 121 On October 25, 2018, Equifax provided an update on the ongoing FTC 
and CFPB investigations to the U.S. Securities and Exchange Commission (SEC). Equifax 
stated: 


On June 13, 2018, the CFPB and FTC provided us with notice that the staffs 
of the CFPB and FTC are considering recommending that their respective 
agencies take legal action against us, and that the agencies may seek 
injunctive relief against us, as well as damages and civil money penalties. 
We submitted written responses to the CFPB and FTC addressing their 
expected allegations and we continue to cooperate with the agencies in their 
investigations. 122 


117 Fed. Trade Comm’n, Financial Institutions and Customer Information: Complying with the 
Safeguards Rule (2006), https://www.ftc.gov/tips-advice/business-center/guidance/financial-institutions- 
customer-information-complying. 

118 Press Release, Fed. Trade Comm’n, FTC Enforces Gramm-Leach-Bliley Act’s Safeguards Rule Against 
Mortgage Companies (Nov. 16, 2004), https://www.ftc.gov/news-events/press-releases/2004/ll/ftc-enforces- 
gramm-leach-bliley-acts-safeguards-rule-against. 

119 Id. 

120 12 C.F.R. §§ 1016.1-17 (2011). 

121 David McLaughlin and Todd Shields, FTC Opens Investigation into Equifax Breach, BLOOMBERG (Sept. 14, 
2017), https://www.bloomberg.eom/news/articles/2017-09-14/equifax-scrutiny-widens-as-ftc-opens-investigation- 
into-breach; Roger Yu & Kevin McCoy, Equifax Data Breach: Feds Start Investigation (Sept. 14, 2017), 
https://www.usatoday.com/story/money/2017/09/14/ftc-investigating-equifax-over-data-breach/665550001/. 

122 Equifax, Quarterly Report for the Period Ended September 30, 2018 (form 10-Q) (Oct. 25, 2018), 
https://otp.tools.investis.com/clients/us/equifax/SEC/sec- 

sho w.aspx?T ype=html&FilingId= 13023015&CIK=0000033185&Index= 10000. 
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B. Breach Notification and Disclosure Requirements 

After a data breach occurs, private sector entities must comply with a myriad of 
regulations and laws regarding disclosure and notification requirements. For instance, Equifax 
officials reported they informed the FTC, SEC, state officials, and the Financial Services 
Information Sharing and Analysis Center (FS-ISAC) of the 2017 data breach. 123 

While there is no comprehensive federal data breach notification law, all fifty states have 
enacted legislation requiring private entities to notify individuals about a security breach 
affecting their personal information. 124 State data breach notification laws generally include 
several components: 

1. Which entities must comply with the law; 

2. What personal information is protected, and how a breach is 
defined; 

3. What degree of actual harm must occur, if any, for notice to be 
triggered; 

4. How and when notice must be delivered; 

5. If there are any exceptions or safe harbors; 

6. Preemption of other state laws, and relation to other federal laws; 
and 

7. Penalties, enforcement authorities, and remedies for those 
harmed. 125 

One example of inconsistency between state breach notification laws is the notice 
requirement. Some states may require notice to be made “without reasonable delay,” while 
others require private entities to provide notice within 45 days after discovery of the breach. 126 
Another aspect where state laws differ is the definition of personal information. 127 This means, 
based on the type of information stolen, a private entity may have to notify consumers in one 
state, but not consumers in another state even though the same type of consumer information was 
stolen. 


In addition to providing state officials notice of a breach, a private entity may be required 
to disclose cybersecurity risks and cyber incidents to investors. In October 2011, the SEC 
released non-binding guidance detailing the obligations public companies have related to 


123 GAO Equifax Data Breach Report at 25-26. 

124 National Conference of State Legislatures, Security Breach Notification Laws (Sept. 29, 2018), 
http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification- 
laws.aspx. 

125 N. Eric Weiss & Rena S. Miller, Cong. Research Serv., R43496, The Target and Other Financial Data 
Breaches: Frequently Asked Questions 23 (2015), http://www.crs.gov/reports/pdf/R43496. 

126 Id. 

127 Id. 
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disclosing cybersecurity risks and cyber incidents. 128 According to the guidance, if cybersecurity 
risks or incidents are “sufficiently material to investors,” a private company may be required to 
disclose the information in registration statements, financial statements, and 8-K forms. 129 

Equifax did not disclose any cybersecurity risks or cybersecurity incidents in its SEC 
filings prior to the 2017 data breach. 130 Following the 2017 breach, Equifax included information 
related to the breach in subsequent 2017 and 2018 filings. 131 


128 Sec. & Exchange Comm’n, CF Disclosure Guidance: Topic No. 2 (Cybersecurity) (Oct. 13, 2011), 
https://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm. 

129 Id. 

130 See generally SEC Filings , EQUIFAX, https://investor.equifax.com/financial-information/sec-filings (last visited 
Oct. 27, 2018)/ 

131 Equifax, Current Report (form 8-K) (Sept. 7, 2017) (explaining the cybersecurity incident), 
https://otp.tools.investis.com/clients/us/equifax/SEC/sec- 

sho w.aspx?T ype=html&FilingId=12271940&CIK=0000033185&Index= 10000. 
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III. Anatomy of the Equifax Data Breach 


A culture of cybersecurity complacency at Equifax led to the successful exfiltration of the 
personal information of approximately 148 million individuals. Equifax’s failure to patch a 
known critical vulnerability left its systems at risk for 145 days. 132 The company’s failure to 
implement basic security protocols, including file integrity monitoring and network 
segmentation, allowed the attackers to access and remove large amounts of data. The attackers 
were able to exfiltrate this data because the digital certificate allowing Equifax to monitor 
encrypted network traffic flowing through the ACIS environment expired 19 months prior to the 
discovery of the breach. This chapter details events leading to the 2017 data breach. 

A. Apache Struts Vulnerability Publicized, Equifax Attempts to Patch 
(Feb. - Mar. 2017) 

Apache Struts is an open-source web application framework. Specifically, Apache Struts 
is middleware - a software that runs between an operating system and an application, and allows 
the application to successfully run on the operating system. 133 

February 14, 2017 - The Apache Software Foundation received the first report of a vulnerability 
found in multiple versions of Apache Struts. 134 A security researcher discovered the vulnerability 
and reported the bug to Apache through its security mailing list. 135 

March 7, 2017 - The Apache Struts Project Management Committee (PMC) publicly disclosed 
the Apache Struts vulnerability. 136 The vulnerability related to how Apache Struts processed data 
sent to a server. 137 Attackers could use file uploads to trigger a remote code execution bug, which 
allowed the attacker to send malicious code or commands to a server. The National Vulnerability 
Database’s impact analysis indicated the complexity of an attack exploiting this vulnerability 
was low, and the potential for total loss of confidentiality, integrity, and availability of resources 
in a compromised system was high (see Figure 3). 138 The National Vulnerability Database is a 
government repository for IT vulnerability management data. 139 


132 Mandiant, Mandiant Report 1, 2 (2017) (on file with Committee). Equifax’s systems were vulnerable to attackers 
exploiting the Apache Stmts vulnerability from March 8, 2017 (the date US-CERT alerted Equifax to the 
vulnerability) until July 30, 2017 (the date Equifax took the vulnerable ACIS application offline). 

133 Middleware , TECHOPEDIA, https://www.techopedia.com/definition/450/middleware (last visited Oct. 16, 2018). 

134 Response from The Apache Software Foundation to Questions from U.S. House Committee on Energy and 
Commerce Regarding Equifax Data Breach , APACHE SOFTWARE FOUNDATION (Oct. 3, 2017), 
https://blogs.apache.org/foundation/entry/responses-to-questions-from-us. 

135 Id. 

136 Id. The vulnerability was assigned the identifier CVE-2017-5638. 

137 National Vulnerability Database, CVE-2017-5638 Detail, NIST.GOV (Mar. 10, 2017), 
https://nvd.nist.gOv/vuln/detail/CVE-2017-5638#vulnCurrentDescriptionTitle. 

138 Id. 

139 National Vulnerability Database, https://nvd.nist.gov/ (last visited Nov. 15, 2018). 
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CVE-2017-5638 Impact Analysis 

Base Score: 10.0 CRITICAL 

Exploitability Score: 3.9 

Impact Score: 6.0 

Base Score = (Exploitability Score + Impact Score) multiplied x 1.08 for the Scope Change (rounding to 

10.0 if total exceeds 10) 

Exploitability score metrics 

Attack Vector: Network 

A "remotely exploitable" vulnerability via network attack is the easiest 
to exploit. Network attack vector is the most serious rating. 

Attack Complexity: Low 

Specialized access conditions or extenuating circumstances do not 
exist. An attacker can expect repeatable success against the vulnerable 
component. Low attack complexity is the most serious rating because 
it is the easiest to conduct. 

Privileges Required: None 

Authorized access is not required to carry out an attack. No privileges 
required is the most serious rating. 

User Interaction: None 

The vulnerable system can be exploited without interaction from any 
user. No user interaction required is the most serious rating. 

Scope: Changed 

When attackers can use the vulnerability in a software component to 
affect software/hardware/network resources beyond its authorization 
privileges, a Scope change has occurred. Changed scope is the most 
serious rating. 

Impact score metrics (high is the most serious rating) 

Confidentiality: High 

There is a total loss of data confidentiality, resulting in all resources 
within the impacted component being divulged to the attacker. 

Integrity: High 

There is a total loss of data integrity or a complete loss of protection. 

Availability: High 

There is a total loss of operational availability, resulting in the attacker 
being able to fully deny access to resources in the impacted 
component. 

Additional Information: 

Allows unauthorized disclosure of information 

Allows unauthorized modification 

Allows disruption of service 


Figure 3: National Vulnerability Database CVE-2017-5638 Impact Analysis 140 


Once the Apache Struts vulnerability was widely reported, security researchers observed 
a high number of exploitation attempts almost immediately. 141 One firm observed hackers 
attempting simple commands (i.e., whoami) as well as more sophisticated commands. 142 On 
March 7, information about how to expose the Apache Struts flaw was posted to the Chinese 


140 National Vulnerability Database, CVE-2017-5638 Detail, NIST.GOV (Mar. 10, 2017), 
https://nvd.nist.gOv/vuln/detail/CVE-2017-5638#vulnCurrentDescriptionTitle. 

141 Nick Biasini, Content-Type: Malicious - New Apache Struts 2 0-Day Under Attack, Talos (Mar. 8, 2017), 
https://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html. 

142 Id. 
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security website FreeBuf.com and Metasploit, a popular free suite of hacking tools. 143 The 
Apache Struts PMC released a patch for this vulnerability on the same day. 144 

March 8, 2017 - The Department of Homeland Security’s U.S. Computer Emergency Readiness 
Team (US-CERT) sent Equifax a notice of the need to patch the Apache Struts vulnerability. 145 
Multiple people at Equifax received the US-CERT email, including the Global Threat and 
Vulnerability Management (GTVM) team and former CSO Susan Mauldin. 146 

March 9, 2017 - Equifax disseminated the US-CERT notification via the GTVM listserv 
process. 147 Approximately 430 individuals and various distribution lists received this email. 148 
The email instructed personnel responsible for Apache Struts installations to upgrade to specific 
Apache Struts 2 versions. The GTVM email stated: “As exploits are available for this 
vulnerability and it is currently being exploited, it is rated at a critical risk and requires patching 
within 48 hours as per the security policy.” 149 

Equifax Security performed an open source component scan to identify any systems with 
a vulnerable version of Apache Struts. 150 The scan did not identify any components utilizing an 
affected version of Apache Struts. 151 Interim CSO Russ Ayres stated the scan missed identifying 
the vulnerability because the scan was run on the root directory, not the subdirectory where the 
Apache Struts was listed. 152 

March 10, 2017 - Mandiant, the firm hired by Equifax to complete a forensic investigation of 
the breach, found the first evidence of the Apache Struts vulnerability being exploited at Equifax 
(the “initial recon” step in Figure 4). Attackers ran the “whoami” command to discover other 


143 Michael Riley, Jordan Robertson, & Anita Sharpe, The Equifax Hack Has the Hallmarks of State-Sponsored 
Pros , Bloomberg (Sept. 29, 2017), https://www.bloomberg.com/news/features/2017-09-29/the-equifax-hack-has- 
all-the-hallmarks-of-state-sponsored-pros. See also Metasploit Framework: CVE-2017-5638 - Apache Struts 2 S2- 
045, GitHub (Mar. 7, 2017), https://github.com/rapid7/metasploit-framework/issues/8064. 

144 Apache Struts 2 Security Bulletin S2-045, CONFLUENCE (last modified Mar. 19, 2017), 
https://cwiki.apache.org/confluence/display/WW/S2-045. 

145 Email from U.S. Computer Emergency Readiness Team, to GTVM, Equifax (Mar. 8, 2017, 7:31:16 PM) (on file 
with Committee, EFXCONG-SSTOGROOOOOOO 6 O). 

146 Email from U.S. Computer Emergency Readiness Team, to Susan Mauldin, Chief Sec. Officer, Equifax (March 
8, 2017, 7:31:16 PM) (on file with Committee, EFXCONG-SSTOGR000000672). 

147 See infra Chapter 5, subsection B.l. Email from GTVM, Equifax, to GTVM Alerts, Equifax (Mar. 9, 2017, 

9:31:48 AM) (on file with Committee, EFXCONG-SSTOGR000000508). 

148 GTVM, Apache Struts 2 Vulnerability Incident Response Chart (on file with Committee, EFXCONG- 
SSTOGR000068115; EFXCONG-SSTOGR000067381). 

149 Email from GTVM, Equifax, to GTVM Alerts, Equifax (March 9, 2018, 9:31:48 AM) (on file with Committee, 
EFXCONG-SSTOGR000000508). 

150 Briefing by Russ Ayres, Interim Chief Sec. Officer, Equifax, to H. Comm, on Oversight & Gov’t Reform & H. 
Comm, on Science, Space & Tech. Staff (Oct. 19, 2017). 

151 Id. 

152 Computers store data in a series of directories (folders). The main directory of a file system is the root directory. 
All other folders within the file system are subdirectories of the root folder. This structure is what allows computer 
users to store separate documents (here, the “Users” folder would be one or two levels under the operating system’s 
root directory, and within each User’s subfolder would be folders for “Documents” and “Pictures”). The directory 
structure keeps file systems hierarchically organized. 

See Briefing by Russ Ayres, Interim Chief Sec. Officer, Equifax, to H. Comm, on Oversight & Gov’t Reform & H. 
Comm, on Science, Space & Tech. Staff (Oct. 19, 2017). 
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potentially vulnerable servers connected to the Equifax network. 153 However, Mandiant found no 
direct evidence the March 10 actions were connected to the activity that began on May 13. 154 

March 14, 2017 - Equifax’s Emerging Threats team released a Snort signature rule, written to 
detect a specific vulnerability and perform an action, to detect Apache Struts exploitation 
attempts. 155 The Equifax Countermeasures team installed the Snort rule written to detect Apache 
Struts exploitation attempts on the intrusion detection and prevention systems on March 14. 156 

March 15, 2017 - Equifax received a new signature rule to detect vulnerable versions of Apache 
Struts from McAfee on March 15. 157 The company used the McAfee Vulnerability Manager tool 
to scan its externally facing systems with this signature twice. 158 The scanner checked 958 
external-facing Equifax IP addresses and did not find any instance where the vulnerability was 
present. 159 In short, both of the scanning tools used by Equifax during the patching process failed 
to identify the presence of vulnerable versions of Apache Struts. 160 

March 16, 2017 - The Apache Struts vulnerability was discussed at a monthly meeting hosted 
by the GTVM team. 161 The GTVM meeting slides stated the vulnerability was currently being 
exploited, and reminded those responsible for Apache Struts installations to upgrade to versions 
2.3.32 or 2.5.10.1. 162 The slides were emailed to all 430 individuals on the GTVM listserv after 
the meeting. 163 


153 Briefing by Mandiant, to H. Comm, on Oversight & Gov’t Reform & H. Comm, on Science, Space, & Tech. 
Staff (Aug. 17, 2018). 

154 Id. 

155 GTVM, Apache Struts 2 Vulnerability Incident Response Chart (on file with Committee, EFXCONG- 
SSTOGR000068115); see also Understanding and Configuring Snort Rules, Rapid7 Blog (Dec. 9, 2016), 
https://blog.rapid7.eom/2016/12/09/understanding-and-configuring-snort-mles/. 

156 GTVM, Apache Struts 2 Vulnerability Incident Response Chart (on file with Committee, EFXCONG- 
SSTOGR000068115); Briefing by Russ Ayres, Interim Chief Sec. Officer, Equifax, to H. Comm, on Oversight & 
Gov’t Reform & H. Comm, on Science, Space & Tech. Staff (Oct. 19, 2017). 

157 Briefing by Russ Ayres, Interim Chief Sec. Officer, Equifax, to H. Comm, on Oversight & Gov’t Reform & H. 
Comm, on Science, Space & Tech. Staff (Oct. 19, 2017). 

158 Id. 

159 Email from Berlene Herren, Vice President Cyber Threat Resistance, Equifax, to Jamie Fike, Workforce 
Solutions, Equifax (Mar. 15, 2017, 1:56:38 PM) (on file with Committee, EFXCONG-SSTOGR000000510). 

160 Witness testimony shows the scanning tools may have failed to detect the presence of the Apache Struts 
vulnerability due to the lack of visibility into Equifax’s complex legacy IT environments. See Payne Transcribed 
Interview at 15, 28. 

161 GTVM, Apache Struts 2 Vulnerability Incident Response Chart (on file with Committee, EFXCONG- 
SSTOGR000068115). 

162 Global Threat & Vulnerability Management, Vulnerability Assessment March 2017 1, 11 (on file 
with Committee, EFXCONG-SSTOGR000000195-EFXCONG-SSTOGR000000231). 

163 Id.\ see also Email from Joe Sanders to Susan Mauldin (Aug. 7, 2017, 8:52 AM) (on file with Committee, 
EFXCONG-SSTOGR000067381). 
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B. Attackers Breach Equifax and Remain Undetected for 76 Days (May - 
July 2017) 



Figure 4: Lifecycle of an Attack lM 

May 13 - July 30, 2017 - On May 13, attackers entered the Equifax network through the Apache 
Struts vulnerability located within the ACIS environment, an internet-facing business system 
individuals use to dispute incorrect information found within their credit file (the “initial 
compromise” step in Figure 4). 165 Equifax originally built this system in the 1970s to meet FCRA 
requirements. It was operating on a complex legacy IT system housed within a data center in 
Alpharetta, Georgia. 166 

After entering the ACIS environment through the Apache Struts vulnerability, the 
attackers uploaded the first web shells, which are malicious scripts uploaded to a compromised 
server to enable remote control of the machine (the “establish foothold” step in Figure 4). 167 Web 
shells can enable file system and database manipulation, facilitate system command execution, 
and provide file upload/download capability. 168 In essence, a web shell provides a secret 
backdoor for an attacker to reenter and interact with a compromised system. 

The ACIS environment was comprised of two web servers and two application servers, 
with firewalls set up at the perimeter of the web servers. 169 Attackers exploited the Apache Struts 
vulnerability found on the application servers to bypass these firewalls. 170 Once inside the 


164 Jessee Leimgruber, Here’s How Easily You Could’ve Hacked Equifax, BLOOM Blog (Sept. 17, 2017), 
https://blog.hellobloom.io/how-hard-was-the-equifax-hack-a3bae36f9e6f. 

165 Briefing by Mandiant, to H. Comm, on Oversight & Gov’t Reform & H. Comm, on Science, Space, & Tech. 
Staff (Aug. 17, 2018); see also Mauldin Transcribed Interview at 21. 

166 Payne Transcribed Interview at 19-20, 132. 

167 Briefing by Mandiant, to H. Comm, on Oversight & Gov’t Reform & H. Comm, on Science, Space, & Tech. 
Staff (Aug. 17, 2018); see also Compromised Web Servers and Web Shells - Threat Awareness and Guidance, US- 
CERT (Aug. 9, 2017), https://www.us-cert.gov/ncas/alerts/TA15-314A. 

168 Fidelis Cybersecurity, Understanding Web Shells 1, 4 (2016), available at 
https://www.fidelissecurity.com/sites/default/files/TA_Fidelis_Webshells_1605.pdf. 

169 Briefing by Mandiant, to H. Comm, on Oversight & Gov’t Reform & H. Comm, on Science, Space, & Tech. 
Staff (Aug. 17, 2018). 

170 Id. 
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network, the attackers created web shells on both application servers. 171 This provided the 
attackers with the ability to execute commands directly on the system hosted on the application 
servers. 172 Approximately 30 unique web shells were used to perform the attack. 173 According to 
Mandiant, file integrity monitoring could have discovered the creation of these web shells by 
detecting and alerting to potentially unauthorized network changes. 174 Equifax did not have file 
integrity monitoring enabled on the ACIS system at the time of the attack. 175 

After installing the first web shells, the attackers accessed a mounted file share containing 
unencrypted application credentials (i.e., username and password) stored in a configuration file 
database (the “escalate privileges” step in Figure 4). 176 Mounting is a process by which the 
operating system makes files and directories on a storage device available for internal access via 
the computer’s file system. 177 Attackers were able to access the file share because Equifax did not 
limit access to sensitive files across its internal legacy IT systems. 178 Ayres stated storage of these 
credentials in this manner was inconsistent with Equifax policy. 179 

Although the ACIS application required access to only three databases within the Equifax 
environment to perform its business function, the ACIS application was not segmented off from 
other, unrelated databases. 180 As a result, the attackers used the application credentials to gain 
access to 48 unrelated databases outside of the ACIS environment. 181 

Attackers ran approximately 9,000 queries on these databases and obtained access to 
sensitive stored data (the “internal recon” step in Figure 4). 182 The attackers queried the metadata 
from a specific table to discover the type of information contained within the table. 183 Once the 
attackers found a table with PII, they performed additional queries to retrieve the data from the 
table. 184 In total, 265 of the 9,000 queries the attackers ran within the Equifax environment 


171 Id. 

172 Mandiant, Mandiant Report 1, 2 (2017) (on file with Committee). 

173 Id. at 2. 

174 Briefing by Mandiant, to H. Comm, on Oversight & Gov’t Reform & H. Comm, on Science, Space, & Tech. 
Staff (Aug. 17, 2018); see infra, Chapter 5, subsection C.4. 

175 Briefing by Mandiant, to H. Comm, on Oversight & Gov’t Reform & H. Comm, on Science, Space, & Tech. 
Staff (Aug. 17, 2018). 

176 Briefing by Russ Ayres, Interim Chief Sec. Officer, Equifax, to H. Comm, on Oversight & Gov’t Reform & H. 
Comm, on Science, Space & Tech. Staff (Oct. 19, 2017); Briefing by Mandiant, to H. Comm, on Oversight & Gov’t 
Reform & H. Comm, on Science, Space, & Tech. Staff (Aug. 17, 2018). 

177 See Mounting , Linux INFORMATION PROJECT, http://www.linfo.org/mounting.html (last visited Oct. 10, 2018). 

178 See infra. Chapter 5, subsection C.4. 

179 Briefing by Russ Ayres, Interim Chief Sec. Officer, Equifax, to H. Comm, on Oversight & Gov’t Reform & H. 
Comm, on Science, Space & Tech. Staff (Oct. 19, 2017). 

180 Briefing by Mandiant, to H. Comm, on Oversight & Gov’t Reform & H. Comm, on Science, Space, & Tech. 
Staff (Aug. 17, 2018). 

181 Id. 

182 Id. 

183 Id. 
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returned datasets containing PII. 185 None of the PII contained in these datasets was encrypted at 
rest. 186 


The attackers stored the PII data output from each of the 265 successful queries in files. 187 
The attackers compressed these files and placed them into a web accessible directory. 188 Then, 
the attackers issued commands through the tool Wget - a common system utility that allows the 
user to issue commands and retrieve content from web servers - to transfer the data files out of 
the Equifax environment. 189 The attackers used the web shells to exfiltrate some of the data (the 
“complete mission” step in Figure 4). 190 The attackers used an estimated 35 different IP addresses 
to interact with the ACIS environment. 191 

The attack lasted for 76 days before it was discovered by Equifax employees. An expired 
Secure Sockets Layer (SSL) certificate prevented Equifax from monitoring traffic to the ACIS 
environment. 192 SSL is a standard security protocol that enables encrypted communication 
between a web browser and a web server. To create this secure connection, an active SSL 
certificate must be installed at the point where decryption will occur. SSL certificates have a 
lifespan of either 27 or 39 months, depending on the date the SSL certificate was issued. 193 After 
this period, the certificate expires and must be renewed or replaced to become active once 
again. 194 


185 Id. 

186 Oversight of the Equifax Bata Breach: Answers for Consumers: Hearing Before the Subcomm. on Digital 
Commerce & Consumer Prot. of the H. Comm, on Energy & Commerce, 115th Cong. (2017) (testimony of Richard 
Smith, Former Chief Exec. Officer, Equifax); Mauldin Transcribed Interview at 136. 

“Data at rest” is data not actively moving across a network, such as data stored on a hard drive. Encryption enables a 
data owner to scramble the content of protected documents by requiring a decryption key to decipher it. Only 
authorized viewers with access to the decryption key are able to read the protected information. Encrypting data at 
rest is the most effective way to safeguard it from unauthorized intruders. See Nate Lord, Data Protection: Data in 
Transit v\v. Data at Rest, DIGITAL GUARDIAN (Sept. 19, 2018), https://digitalguardian.com/blog/data-protection-data- 
in-transit-vs-data-at-rest. 

187 Briefing by Mandiant, to H. Comm, on Oversight & Gov’t Reform & H. Comm, on Science, Space, & Tech. 

Staff (Aug. 17, 2018). 

188 Id. 

189 Id.; see also Introduction to GNU Wget, Free SOFTWARE FOUNDATION, https://www.gnu.org/software/wget/ (last 
visited Oct. 10, 2018). 

190 Briefing by Mandiant, to H. Comm, on Oversight & Gov’t Reform & H. Comm, on Science, Space, & Tech. 

Staff (Aug. 17, 2018). 

191 Id. 

192 Id. 

193 SSL certificates issued prior to March 1, 2018 have a lifespan of up to 39 months, but any certificates issued after 
this date expire after 27 months due to a rule change in the Certificate Authority (CA) Browser Forum’s Baseline 
Requirements. The CA/Browser Forum, a voluntary group of certification authorities and internet browser vendors, 
develops standards for the issuance and management of digital certificates. See CA/Browser Forum, Baseline 
Requirements for the Issuance and Management of Publicly-Trusted Certificates 1, 39 (2018), 
https://cabfomm.0rg/wp-content/uploads/CA-Browser-Fomm-BR-l.6.O.pdf. 

194 Id. 
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The expired SSL certificate was installed on a traffic monitoring device called an SSL 
Visibility (SSLV) appliance. 195 This device allowed Equifax to inspect encrypted traffic flowing 
to and from the ACIS platform by decrypting the traffic for analysis prior to sending it through to 
the ACIS servers. 196 Both the intrusion detection system and the intrusion prevention system were 
behind this monitoring device (see Figure 5). 197 


SSL Visibility Appliance 



Internal 

servers 


Intrusion detection and 
prevention systems 


. 


Figure 5: Traffic Flow from External Computer through SSLV Appliance m 

The default setting for this device allowed web traffic to continue through to the ACIS 
system, even when the SSL certificate was expired. 199 When this occurs, traffic flowing to and 
from the internet is not analyzed by the intrusion detection or prevention systems because these 
security tools cannot analyze encrypted traffic. 

According to documents obtained, the SSL certificate installed on the SSLV device 
monitoring the ACIS domain ai.equifax.com expired on January 31, 2016. 200 As a result, Equifax 
did not have visibility into the network traffic in the ACIS environment for nineteen months. 201 

C. Equifax Detects the Data Breach and Initiates Project Sierra (July - 
Aug. 2017) 

July 29, 2017 - At 9:00 pm, the Equifax Countermeasures team uploaded 67 new SSL 
certificates to the SSLV appliance at the Alpharetta, Georgia data center where the ACIS 


195 Briefing by Russ Ayres, Interim Chief Sec. Officer, Equifax, to H. Comm, on Oversight & Gov’t Reform & H. 
Comm, on Science, Space & Tech. Staff (Oct. 19, 2017). 

196 Id. 

197 See infra. Chapter 3, Figure 4. 

198 Inbound and Outbound SSL Inspection, SYMANTEC, https://origin- 

symwisedownload.symantec.com/resources/webguides/sslv/sslva_first_steps/ContentATopics/Overviews/ssl_insectio 
n_overview.htm (last visited Oct. 23, 2018) (labels edited). 

199 Briefing by Russ Ayres, Interim Chief Sec. Officer, Equifax, to H. Comm, on Oversight & Gov’t Reform & H. 
Comm, on Science, Space & Tech. Staff (Oct. 19, 2017). 

200 Equifax, Master List of Expired Certificates (current on July 29, 2017) (on file with Committee, EFXCONG- 
SSTOGR000029241). 

201 Id. GAO reported this certificate was expired for ten months. See GAO Equifax Data Breach Report at 18. 
However, documents produced to the Committee show the expiration date for the certificate was January 31, 2016. 
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environment was located. 202 This allowed the company to resume the inspection of traffic 
flowing to and from the ACIS application. The Countermeasures team monitored the appliance 
and the intrusion prevention system for any sudden increase in security alerts. 203 

The Countermeasures team began reviewing packet captures to ensure decryption was 
taking place. 204 Packet capture is the creation of a copy of a data packet as it travels across a 
specific network point. 205 Packets are temporarily stored for analysis of the captured data. A full 
packet includes a payload (the actual contents of the packet) and a header (information such as 
the packet’s source and destination address). 

Almost immediately, the Equifax Countermeasures team detected a suspicious request 
from an IP address originating in China. 206 The team analyzed the full suspicious packet and 
other recent requests. 207 The server response for most of these recent requests contained more 
than 10 megabytes of data, and possibly contained image files related to credit investigations. 208 

Equifax used the tool Moloch - an open source piece of software used to index, view, and 
analyze packet captures - to index network traffic. 209 After employees noticed the suspicious 
foreign traffic, Equifax ran a search for the Chinese IP address on Moloch. 210 Search results 
showed persistent attempts to contact the ACIS web portal from this IP address since July 25, 
2017. 211 The Countermeasures team made the decision to block the Internet Service Provider 
(ISP) used by this IP address. 212 Equifax employees were unable to determine what this actor did 
prior to July 29, including any details on the requests made to the ACIS application, because of 
the expired SSL certificate. 213 

July 30, 2017 - Equifax continued its incident investigation by conducting vulnerability testing 
of the ACIS application. 214 Equifax discovered flaws in the ACIS code rendering the system 
vulnerable to SQL injection and Insecure Direct Object Reference attacks. 215 The SQL injection 
flaw allows an attacker to inject or retrieve database information. 216 The Insecure Direct Object 
Reference flaw allows direct access to system data without requiring appropriate authentication 
or authorization. 217 The ACIS application had been tested for vulnerabilities in April 2017 after 


202 Cyber Threat Center, Project Sierra 1, 4 (July 31, 2017) (on file with Committee, EFXCONG- 
SSTOGR000003446-EFXCONG-SSTOGR000003454) [hereinafter CTC Project Sierra], 

203 Id. at 4-5. 

204 Id. at 5. 

205 Packet Capture , TECHOPEDIA, https://www.techopedia.com/defmition/25333/packet-capture (last visited Oct. 17, 
2018). 

206 CTC Project Sierra at 5. 

207 Id. 

208 Id. 

209 Id. at 6 ; see MOLOCH HOME, https://molo.ch/ (last visited Oct. 17, 2018). 

210 CTC Project Sierra at 6 . 

211 Id. 

212 Id. 

213 Email from Corporate Security Support, Equifax, to Joe Sanders, Senior Director for Security, GTVM, Equifax 
(July 31, 2017, 12:00:03 AM). 

214 CTC Project Sierra at 6 . 

215 Id. 

216 Id. 

217 Id. 
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Equifax knew about the Apache Struts flaw and no unremediated vulnerabilities were found. 218 It 
is unclear why the April 2017 vulnerability testing and the July 30, 2017 vulnerability testing 
produced different results. 

The Equifax forensic team soon discovered the exfiltrated data likely contained PII. 219 
Equifax observed additional instances of suspicious traffic originating from a second IP address 
owned by a German ISP, but leased to a Chinese provider. 220 As a result of these findings, 
Equifax decided to shut down the ACIS web portal for emergency maintenance on July 30 at 
12:41 pm. 221 The cyberattack ended when the application was taken offline. 

One of CSO Susan Mauldin’s employees called to inform her of the incident around 1:30 
pm, and told her to join an incident management conference call as soon as possible. 222 When she 
joined the conference, a group of IT and Security employees were discussing the logistics of 
taking the ACIS machine offline. 223 Mauldin testified: 

Q. And what, if anything, did you say on the call on July 30, 2017, 
when the team reported that they wanted to take the ACIS machine 
offline? 

A. Well, it was already - the machine coming offline was already in 
progress. So they were not asking for my approval at that point. It 
was already in process. But I - so I did not have to give approval for 
it. At the point, I was mostly listening and trying to learn what was 
going on, because I was coming into it brand-new, not really 
knowing anything. 224 

Immediately after this call, Mauldin emailed information about the security incident to 
Chief Legal Officer John Kelley, who was on vacation at the time, and the employee within the 
Legal office covering for Kelley while he was away. 225 Mauldin did not recall either of them 
responding to her email that day. 226 

Around 6:30 pm, Mauldin called Graeme Payne, Senior Vice President and CIO for 
Global Corporate Platforms, the senior manager for the ACIS application. Mauldin testified: 

A. My best recollection of that discussion is that I informed him that 
we had a security incident that involved the ACIS application; we 
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thought there might be an exploit of Apache Struts, but we were not 
sure at that time; that the server was down, so therefore the 
application was offline; and we needed his help to work with his 
development team to perform some research, to work with a 
Security team and perform some research for us so that we would 
understand whether they were using [Apache] Struts and what the 
version was and so forth so that we could start on the investigation 
of what happened. 

Q. And can you tell me, what, if anything, did Mr. Payne say in 
response to you on the call you had with him on July 30, 2017? 

A. In my recollection, I don’t remember the exact words, but I can say 
that Mr. Payne was . . . very agreeable. Obviously, this was an 
application under his area of responsibility. He certainly agreed to 
help. He responded in very . . . urgent manner and did everything 
that we asked him to do. 227 

Payne informed CIO David Webb of the incident via email on July 30 at 7:16 pm. 228 

July 31, 2017 - Equifax assigned the code name Project Sierra to the incident response efforts. 229 
On a 7:00 am call with the initial Project Sierra group, Equifax’s Vulnerability Assessment team 
discussed the findings of the ACIS application review conducted on July 30. 230 The team had 
identified an unexpected JSP file inserted into the ACIS application through SQL injection. 231 A 
JavaServer Pages (JSP) file is a dynamic server-generated web page. 232 In short, if a JSP file is 
placed in an appropriate location on a web server, it creates a web shell able to respond to a 
command from an attacker. 233 This command causes the web server to process or execute the 
code within the file and return the generated output in the form of a web page. 

Equifax discovered code within the JSP file provided the avenue for the exploit. 234 
Following this 7:00 am call, a second unexpected JSP file was identified within the ACIS 
application. 235 The forensics team immediately imaged these environments. 236 

Payne and Webb met early on Monday, July 31 to discuss what was known about the 
incident. Webb testified: 
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A. Yes. So on the Monday . . . I’m typically an early morning person, 

Graeme is an early morning person. So we huddled early, and he 
just gave me a very brief update to let me know that there was an 
incident, that we didn’t know what was going on, and that we were 
doing the investigative work alongside the security team. So in these 
instances, we take direction from Security. 

Q. Did he give you any sense of the severity of the incident at that 
point? 

A. No. 237 

As of July 31, Equifax did not definitively know how the attackers entered the ACIS 
environment, but Equifax suspected the attackers utilized an Apache Struts exploit. 238 The 
Vulnerability Assessment team conducted a review of closed vulnerabilities for the ACIS portal, 
looking for potential avenues of exploitation. 239 The team discovered a scan performed on 
January 25, 2017 had identified a remediated Apache Struts vulnerability on the ACIS 
platform. 240 Developers provided Vulnerability Assessment employees with the application’s 
WAR file - a compressed package containing all of the files and other Java components used to 
run an application. 241 The WAR file confirmed the ACIS application was running a vulnerable 
version of Apache Struts. 242 

Later on July 31, the Vulnerability Assessment team conducted a manual review looking 
for additional instances of Apache Struts on other servers. 243 A vulnerable version of Apache 
Struts was discovered on a second server within the ACIS application. 244 Equifax did not load a 
SSL certificate on this server, so it did not have visibility into the traffic to and from this 
server. 245 Equifax uploaded a SSL certificate for this domain on August 3. 246 

Based on information confirmed on July 31 by the lead forensic analyst, Mauldin stated 
“I felt like I knew at that point that PII had been involved in this incident.” 247 She reported this to 
John Kelley on July 31, but did not inform David Webb. 248 Mauldin testified: 
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Q. Is there any particular reason why you did not report to the CIO your 
belief that PII may have been exfiltrated in connection with the 
security incident we have been discussing? 

A. I don’t remember a particular reason about that .... I just don’t 
remember thinking about that. 249 

August 1, 2017 - Graeme Payne provided David Webb with a brief update on the Project Sierra 
investigation. He told Webb the investigation was progressing but no new information was 
known at the time. 250 This was Webb’s last involvement with Project Sierra until August 17, 
2017. Webb went on vacation out of the country from August 2 through August 16. 251 

*** 

Equifax’s discovery of the data breach and subsequent incident response findings quickly 
led to discussions on how, and when, to notify affected individuals. The company would soon 
learn the extent of the incident - the sensitive personal information Equifax held on 148 million 
consumers was compromised. Equifax had to quickly prepare for public notification of the 
massive data breach. 
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IV. Equifax Notifies the Public of the Massive Data Breach 


On September 7, 2017, Equifax notified the public about the data breach affecting an 
estimated 143 million consumers, a number which later increased to 148 million. Prior to 
notifying the public, Equifax attempted to prepare a dedicated breach notification website and 
staff call centers to manage the influx of consumers seeking information about the breach. In 
addition, Equifax made changes to its senior leadership. 

A. Preparations for September 7, 2017 Public Notice 

After Equifax discovered the breach and took actions to stop further attacks, the company 
hired an outside cybersecurity firm to conduct a forensic investigation. The forensic investigation 
determined the extent of the breach, the amount of consumer information compromised, and the 
identities of affected consumers. Equifax initiated Project Sparta to prepare for public 
notification. 

1. Equifax Briefs Senior Leaders and Begins Forensic Investigation 

July 31, 2017 - CIO David Webb informed CEO Richard Smith about the security incident, but 
explained limited information was available. 252 Webb stated he thought it prudent to inform the 
CEO at the time because the incident involved “a portal that’s used by millions of Equifax 
customers every year to send in disputes or complaints - and if the online service [was] not 
available, then they call the call centers.” 253 During the next few weeks, Equifax scrambled to 
prepare for public notification of the data breach and the intense public scrutiny which would 
follow. 

August 2, 2017 - Equifax contacted outside counsel and informed the Federal Bureau of 
Investigation about the breach. 254 Outside counsel contacted the cybersecurity firm Mandiant. 255 
Equifax hired Mandiant to complete a comprehensive forensic review of the breach and 
determine the scope of the intrusion. 256 

August 3, 2017 - Mandiant conducted its forensic review from August 3 to October 2. 257 To 
complete its forensic review, Mandiant preserved the databases the attackers accessed and ran a 
search for any relevant queries the attackers used when accessing the database. 258 Mandiant 
identified potential access points based on forensic markers left behind by the attackers on 
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Equifax’s servers. 259 The firm used these forensic markers to recreate the attacker’s actions and 
discover the extent of the information they were able to access. 

August 11, 2017 - Mandiant first identified potential access to consumer PII by the attackers. 260 

August 15, 2017 - Equifax employees informed Smith consumer PII was likely stolen. 261 

August 17, 2017 - By this date, Equifax determined “large volumes of consumer data . . . had 
been compromised.” 262 Senior leadership from Equifax, a Mandiant representative, and outside 
counsel met to discuss the ongoing forensic investigation. 263 Senior leadership included the CEO, 
CIO, Chief Legal Officer, Chief Financial Officer, and the business lead for the ACIS 
environment. 264 Mandiant continued its investigation after this meeting to determine the extent of 
compromised consumer data. 

August 24 - 27, 2017 - Mandiant confirmed a significant volume of PII had been accessed by 
the attackers. 265 The forensics firm coordinated with Equifax database owners to identify what 
data attackers accessed and the affected individuals. 266 This process was challenging because 
Equifax did not have a list of database owners, and certain data within the databases was not 
clearly identifiable. On August 24 and August 25, Smith informed the Equifax Board of 
Directors about the breach. 267 

September 1, 2017 - Equifax convened a Board meeting to discuss the investigation, the scale of 
the PII compromise, and notification plans. 268 Another senior leadership team meeting occurred 
later this day. Mauldin attended the senior leadership team meeting and stated topics discussed 
included the status of the forensic investigation, the number of affected records, possible causes 
of the incident, and actions to complete the investigation. 269 
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September 4, 2017 - Equifax, with forensic support from Mandiant, completed a list of 
approximately 143 million affected consumers. 270 

While the Board convened and senior leadership received updates on Mandiant’s 
investigation, other Equifax employees prepared to launch a dedicated breach notification 
website and establish call centers to support consumer outreach. 

2. Equifax Launches Project Sparta and Prepares Call Centers 

In mid-August 2017, Equifax initiated a response-related effort called Project Sparta. 271 
The purpose of Project Sparta was to create a consumer-facing website for individuals to find out 
whether they were affected by the breach and, if so, to register for credit monitoring and identity 
theft services. 272 The technology lead for this project reported to Webb and the business lead 
reported to Smith. 273 Webb said his role was to ensure sufficient resources were directed toward 
this project, including an estimated 50 to 60 IT employees. 274 Payne testified: 

The Project Sparta team was just told that there was a significant breach 
they were working on for a customer, and so they . . . really had no 
knowledge about what they were preparing for, but they were preparing all 
the systems and integrations and standing up the web portal for a mass 
amount of consumers to hit our systems. 275 

Mauldin described her role in this process as “very minimal.” 276 She said the Security 
team reviewed the final website design and security controls a few days prior to launch. 277 She 
stated there was a robust technical discussion, but did not recall any major security concerns at 
the time. Documents show Equifax undertook a significant effort to design and prepare this 
external website. 278 

In the weeks leading up to the public notification on September 7, Equifax also began 
preparations to stand up a call center capability. Payne described the challenges they faced in 
establishing a call center. He testified: 

We had to start preparations to ramp up the call centers for the expected 
influx of calls .... [Rjemembering that Equifax is generally a B2B 
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[business to business] company ... we don’t have a huge focus on 
consumers. So we had to onboard a bunch of external third-party call center 
agents .... I had to get my team organized to help support them and . . . 
make sure we had ... all the onboarding procedures set up so they could 
get access to all systems they needed to be able to do their jobs. 279 

Payne said Equifax “had to ramp up 1,500 [call center] agents in a week or so.” 280 Testimony and 
documents show an intense level of activity took place to prepare for the public notification on 
September 7, 2017. 

B. September 2017 - Equifax Notifies the Public 

Equifax publicly announced the data breach on September 7, 2017. The company soon 
found its website and call centers overwhelmed by individuals seeking information in the wake 
of the breach. Before the end of September, Equifax’s CIO, CSO, and CEO retired from the 
company. 


1. September 7, 2017 - Equifax Publicly Announces the Data Breach 

On September 7, 2017, Equifax announced a “cybersecurity incident” affecting 
approximately 143 million U.S. consumers. 281 Equifax said the type of consumer information 
accessed included names, Social Security numbers, birth dates, addresses, and driver’s licenses. 
Equifax said the attackers accessed 209,000 credit card numbers and 182,000 credit dispute 
documents which contained PII. 282 

Equifax directed consumers to visit equifaxsecurity2017.com for additional information 
(see Figure 6). 283 Equifax intended for this website to: (1) tell consumers whether their personal 
information was compromised; and (2) facilitate enrollment in credit monitoring and identity 
theft protection services. 
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Figure 6: Equifax Website on September 7, 2017 

Equifax confirmed it would provide one year of free monitoring and identity theft 
protection services to victims of the breach. 284 These services included: monitoring of credit 
reports by the three major credit bureaus; copies of Equifax credit reports; capability to lock and 
unlock Equifax credit reports; identity theft insurance; and internet scanning for Social Security 
numbers. 

Equifax sent a letter to officials in all fifty states disclosing the data breach, as required 
by state data breach notification laws. 285 The letter explained the circumstances of the breach and 
the steps Equifax took to protect consumers. 286 The letter included the approximate number of 
potentially impacted residents in the state. 287 

2. Other Stakeholders React to Equifax Announcement 

In the aftermath of Equifax’s public announcement, Equifax’s stock price fell 35 percent 
in the first week, wiping out $6 billion in market value. 288 Multiple federal regulators, including 
the FTC and the CFPB, announced or confirmed investigations. 289 US-CERT warned consumers 
about possible phishing scams leveraging the Equifax data breach. 290 Multiple congressional 
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committees called for hearings and requested documents. The Committee launched its Equifax 
investigation on September 14, 2017. 291 

3. Website and Call Centers Overwhelmed 

Almost immediately, problems existed with Equifax’s public response. 292 The website and 
call centers were overwhelmed with requests for information and left consumers without answers 
as to whether they were affected by the breach. 293 

a. EquifaxSecurity2017.com Issues 

The Equifax Project Sparta team set up a website and supporting infrastructure to handle 
intake from potentially 143 million individuals in approximately three weeks (middle of August 
- September 7). The team created the equifaxsecurity2017.com website, which was separate 
from Equifax’s main website equifax.com. Security experts thought directing consumers from 
equifax.com to equifaxsecurity2017.com for data breach information was not secure because the 
link looked suspicious and confusing. 294 The long website link was even confusing to Equifax 
employees. For example, Equifax’s Twitter account directed customers to a phishing website for 
nearly two weeks because an employee accidentally reversed the order of the words (see Figure 
7). 295 
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Figure 7: Equifax Twitter Thread 


The phishing website was created by a security researcher. 296 People who clicked on the fake link 
and attempted to submit their personal information were greeted by the following pop-up (see 
Figure 8): 



Figure 8: Pop-up Window on securityequifax2017.com Phishing Website 

The real website, equifaxsecurity2017.com, provided consumers with incomplete or 
incorrect information. For example, some individuals who attempted to sign up for credit 


296 Id. 


46 












monitoring services were not enrolled or received error messages. 297 In other instances, people 
received conflicting answers about whether they were affected by the data breach when they 
visited the website from their computer versus their mobile phone. 298 The website challenges 
were significant and had a serious effect on consumer confidence. Webb testified: 

[I] think there was a significant demand on the systems. And it’s one of 
those things, we tried to get ready very quickly, because once we understood 
... we needed to do something, there was very little time to prepare for a 
web-scale solution. 299 

Payne said he thought “the team did a pretty good job” standing up “a consumer website 
that [could] handle that sort of traffic in such a short time.” 300 He said a “bottleneck” in the 
system led to delays. 301 A major cloud service provider with the ability to accept a large amount 
of input hosted the website, but Equifax was limited in processing this input due to constraints 
with the Equifax system. 

Many consumers attempted to sign up for Equifax services, but their registrations were 
delayed because the internal Equifax system could not process a large amount of requests at one 
time. Payne used an analogy to explain the situation, comparing the large number of registration 
requests to a bathtub full of water, and Equifax’s internal capabilities to emptying the tub in 
drips. He testified: 

[So] we filled up the bathtub, but we could only bring the actual transactions 
into our systems, because our systems only had a finite capacity. So the 
bathtub filled up, and we turned the tap on, and it dripped out. All right. 

And the bathtub kept filling up, and the drip kept coming out, and ... it was 
filling up way faster than we could open the faucets and let the drips come 
out. And so each day we were trying to tune those taps to see how much 
more we can let through . . . and that’s why there was a huge backlog of 
people that had registered but didn’t have any notification. 302 

Payne stated a coding issue initially affected the website’s capability to accurately 
identify whether a consumer was a victim of the breach. He said the pressure was intense and 
“people were working day in and day out,” which likely led to the coding mistake. 303 He said the 
coding mistake was addressed quickly, but stated “the [public relations] damage was done by 
that stage.” 304 
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b. Call Center Frustrations 


Delays and frustrations existed with the call center Equifax established to respond to 
consumer questions and provide assistance. Some individuals who called the dedicated call 
center phone number listed on equifaxsecurity2017.com were unable to find out whether their 
personal information was compromised in the breach. 305 Others failed to reach an actual person to 
talk to because the volume of calls overwhelmed the number of customer service representatives 
staffing the phone lines. 

Prior to the breach, Equifax employed approximately 500 customer service 
representatives. 306 Equifax hired and trained “thousands more” customer service representatives 
to staff its call centers. 307 Despite this, call centers were understaffed and the representatives were 
untrained. 308 Payne testified about Equifax failing to successfully roll out the call centers. He 
stated: 


My personal view is that we left [it] too late to start ramping [up] some of 
those call centers. And ... in Equifax’s defense, though, it’s something 
they’d never been through before on that sort of scale, so . . . even just 
identifying a third party that could ramp that many resources that quickly 
and get them trained up ... we were working round the clock . . . there was 
a huge amount of effort going to make sure that we tried to . . . reduce the 
impact, but . . . our processes just weren’t geared up to that level ... to 
quickly expand and get all the systems we had up and to do it in a secure 
way. 309 

Though Equifax spent significant effort and resources on the website and call centers to 
handle post-breach announcement traffic, the company failed to adequately prepare to respond to 
a data breach of this scale. 

4. Three Senior Equifax Officials "Retire" 

On September 15, 2017, Equifax announced the retirement of its Chief Information 
Officer and Chief Security Officer. 310 
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David Webb, the former CIO, was with Equifax for seven years. He testified his 
retirement was a planned, but conceded this was not completely true when he added “it was 
accelerated.” 311 Webb said he was paid through the end of the year and did not receive a 
retirement “package” beyond a pension for which he had contributed during his time at 
Equifax. 312 Webb did not “have the full answer” on why his retirement was accelerated. He stated 
“I felt I still had a lot to offer the company to help with remediation, but I think this [was] a 
decision that was made at the board level.” 313 

Susan Mauldin, the former CSO, was with Equifax for four years and testified her 
departure was connected to the data breach. 314 She stated she “had requested retirement prior to 
the data breach and so the company did extend retirement terms.” 315 Webb testified, “[Mauldin] 
retired on the same day that I did. But the decision to have Susan [Mauldin] exit the organization 
was made earlier than that.” 316 

On September 26, 2017, Equifax announced the retirement of CEO Richard Smith. 317 

C. October 2017 - Forensic Investigation Completed and Senior Equifax 
Employee Fired 

Mandiant identified 2.5 million additional affected consumers after the September 7 
announcement. On the same day Mandiant’s investigation concluded, Equifax terminated 
Graeme Payne for failing to forward the March 9 GTVM Apache Struts patching alert. 

1. October 2, 2017 - 2.5 Million More Victims Announced 

On October 2, 2017, Mandiant completed the forensic portion of its investigation. 318 
During its investigation, Mandiant had found a number of failed database queries hidden in web 
shells created by the attackers. 319 Further analysis showed these queries were successful. 320 
Mandiant identified an additional 2.5 million individuals whose personal information was 
compromised in the breach. This brought the total number of U.S. consumers victimized by the 
Equifax data breach to over 145 million. In describing Mandiant’s findings, Equifax stated: 
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The completed review determined that approximately 2.5 million additional 
U.S. consumers were potentially impacted, for a total of 145.5 million. 

Mandiant did not identify any evidence of additional or new attacker 
activity or any access to new databases or tables. Instead, this additional 
population of consumers was confirmed during Mandiant’s completion of 
the remaining investigative tasks and quality assurance procedures built into 
the investigative process. 321 

2. Senior Equifax Employee Terminated for "Failing to Forward an Email" 

On October 2, 2017, Equifax terminated Graeme Payne, the Senior Vice President and 
CIO for Global Corporate Platforms tasked with managing the ACIS environment. 322 Payne was 
a highly-rated Equifax employee for seven years prior to the data breach. 323 

Payne told the Committee he was called into a meeting with two human resources 
employees who advised him he was being terminated as a result of the incident investigation. 324 
When he pressed for more information about the investigation, human resources declined to 
provide any documentation for the investigation, but told Payne he failed to forward an email. 325 

On October 3, the day after Payne was terminated, former Equifax CEO Richard Smith 
testified before Congress and repeatedly mentioned an individual who had failed to act on a 
security warning (see Figure 9). 326 In his testimony before the House Energy and Commerce 
Committee, Smith made the following statements: 

• “The human error was the individual who is responsible for 
communicating in the organization to apply the patch did not.” 327 

• “Congressman, we get notifications routinely, the IT team and Security 
team do, to apply [patches]. This individual as I mentioned earlier did 
not communicate to the right level to apply the patch.” 328 

• “I described it as a human error where an individual did not ensure 
communication got to the right person to manually patch the 
application. That was subsequently followed by a technological error 
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where a piece of equipment we use which scans the environment 
looking for that vulnerability did not find it.” 329 





Figure 9: Former CEO Richard Smith Testifies before Congress (Oct. 3, 2017) 


Payne told the Committee he watched Smith’s congressional testimony and “was not very 
happy.” 330 Payne elaborated and said Smith testified the breach was attributed to a human error 
(failure to forward an email) and system error. 331 Payne stated, “I put two and two together, and I 
thought oh, that must be the email they’re referring to.” 332 

Payne said Smith’s testimony was “a gross simplification ... of what actually had 
occurred and . . . the complexity of this. . . . [A]nd here we are in front of Congress testifying 
that, oh, no, it was just a simple act of one person who forgot to forward an email, which is just 
way, way simple - just a gross simplification.” 333 

Payne testified regarding the alleged failure to forward the March 9, 2017 GTVM 
patching alert email on the Apache Struts vulnerability. 334 He stated: 
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To assert that a senior vice president in the organization should be 
forwarding vulnerability alert information to people . . . sort of three or four 
layers down in the organization on every alert just doesn’t hold water, 
doesn’t make any sense. If that’s the process that the company has to rely 
on, then that’s a problem. 335 

Payne was just one of 430 employees to whom the GTVM email alert on the Apache 
Struts vulnerability was sent. 336 Payne said he was copied on this email for informational 
purposes, but no specific action was required of him. He stated: 

A. So on the GTVM [email alert], I think all the CIOs were copied on 
that information. But, as I indicated, it was probably more for 
information than anything. 

Q. It wasn’t necessary for action on your part? 

A. No, because I didn’t have a responsibility under the [Patch 
Management] policy to - I wasn’t a system owner or an application 
owner. 337 

Payne was never directed by anyone to forward such emails. 338 

A senior Equifax official was terminated for failing to forward an email - an action he 
was not directed to do - the day before former CEO Richard Smith testified in front of Congress. 
This type of public relations-motivated maneuver seems gratuitous against the back drop of all 
the facts. 

D. Early 2018 - Victim Total Rises to 148 Million 

Even after the initial forensic investigation concluded, Equifax identified more affected 
individuals. On March 1, 2018, Equifax updated its September 7 and October 2 public 
announcements and confirmed the identities of an additional 2.4 million U.S. consumers “whose 
names and partial driver’s license infonnation were stolen, but who were not in the previously 
identified affected population.” 339 This announcement brought the total number of individuals 
harmed by the data breach to 148 million. 
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On May 4, 2018, Equifax provided a statement for the record to the Committee 
describing the location of data stolen by the attackers, explaining these records were from “a 
number of database tables with different schemas, and the data elements stolen were not 
consistently labeled.” 340 Additional forensic analysis allowed the company to confirm 
approximate numbers of affected consumers for 12 standard data elements. 341 These data 
elements include name, date of birth, Social Security number, address information, gender, 
phone number, driver’s license number, email address, payment card number and expiration 
date, TaxID, and driver’s license state. 

Equifax provided the following chart summarizing the categories of data compromised in 
the 2017 data breach (see Figure 10): 


Data Element 

Stolen 

Standardized 

Columns Analyzed 1 

Approximate 
Number of 

Impacted U.S. 

Consu liters 

Name 

First Name. Last 

Name. Middle Name, 
Suffix, Full Name 

146.6 million 

Date of Birth 

DOB. 

146.6 million 

Social Security 
Number^ 

SSN 

145.5 million 

Address 

Information 

Address, Address2, 

City, State. Zip 

99 million 

Gender 

Gender 

27.3 million 

IMtone Number 

Phone. Phone2 

20.3 million 

Driver’s License 
Number* 

DL. # 

17.6 million 

Email Address 

(w/o credentials) 

Email Address 

1.8 million 

Payment Card 
Number and 
Expiration Date 

CC Number, Exp Date 

209.000 

TaxID 

TaxID 

97.500 

Driver’s License 
State 

DL License State 

27.000 


Figure 10: Data Compromised in 2017 Data Breach 
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In addition to data outlined in Figure 10, Equifax confirmed attackers accessed images 
uploaded to Equifax’s online dispute portal by approximately 182,000 U.S. consumers. 342 

E. Mandiant's Forensic Analysis Was Challenging 

The forensic analysis conducted in the aftermath of the Equifax data breach was 
challenging due to the complexity of the Equifax IT environment. Susan Mauldin stated it took 
Mandiant several weeks (from early August up to September 6) “to be able to arrive at a number 
[of impacted consumers] that they felt firm about.” 343 Mauldin explained why this analysis took 
so long, testifying: 

My understanding of it was that it was very complex. The data was in many 
different tables and databases, and linkages had to be understood. And then 
you had to make sure that you weren’t double-counting. If a record is here 
and it’s here, let’s not count that person twice. So to make allowances for 
that and ... it’s just my recollection that it was very complex to sort through 
everything and make sure that they had a correct number with all factors 
considered that could have changed that number. 344 

Mandiant explained the challenges of forensic analysis in the Equifax environment. 
Mandiant told the Committee it had to work with the database owners to understand the meaning 
of data not clearly identifiable. 345 A list of Equifax database owners did not exist. Therefore, 
Mandiant had to identify and verify database ownership before it was able to begin its analysis. 

Payne testified as to why the forensic analysis was so challenging. He said the 
complexity of the Equifax IT environment, which negatively affected security capabilities, also 
hindered forensics. Payne stated: 

I’d worked in financial services and other environments - and the Equifax 
technology infrastructure is very complex. It’s very complex. It has got a 
huge amount of - lots of different systems, lots of complexity, lots of matrix 
management, and it’s just difficult . . . and it’s got a huge [amount] ... of 
history of how some of those systems came together. So it’s just - it’s 
complicated. 346 
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V. Specific Points of Failure: Equifax's Information 
Technology and Security Management 

In many ways, Equifax operates like other global financial companies: the stock is 
publicly traded; employees reside in countries around the world; and major corporate and 
government contracts rather than sales to individual consumers create the company’s earnings. 
However, Equifax deviates operationally from similar corporations in several ways. Each of 
these deviations can be traced to specific points of failure resulting in the 2017 data breach. 

A. Equifax IT Management Structure Lacked Accountability and 

Coordination 

1. IT Organizational Structure at the Time of the Breach 

Prior to 2005, Equifax’s CSO reported to then-CIO Robert Webb (no relation to David 
Webb). 347 This reporting structure resulted in Robert Webb having responsibility over the IT 
security function led by the CSO. 348 An internal restructuring altered this reporting relationship 
during Robert Webb’s tenure. Following this change, the CSO reported to the Chief Legal 
Officer instead of the CIO. 

Richard Smith was hired as the company’s CEO in 2005. 349 Tony Spinelli was also hired 
in 2005 to fill the role of CSO, at the direction of Smith. 350 Equifax executives knew growing 
security risks and compliance requirements necessitated an overhaul of the company’s security 
stance. 351 Spinelli was tasked with establishing the first company-wide IT security standards. 352 
Spinelli presented the Equifax Board of Directors with a three-year, $15 million plan to 
reorganize IT security across the enterprise. 353 

The working relationship between CIO Robert Webb and his subordinate CSO Tony 
Spinelli devolved due to “fundamental disagreements,” so the significant decision was made to 
move the security function out of IT and into the legal office. 354 Payne testified Tony Spinelli 
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“instigated moving security from outside of IT to report to legal.” 355 Thus, the Security 
organization was removed from the control of the CIO and placed under the purview of the Chief 
Legal Officer. The Chief Legal Officer was then referred to as the “head of security.” 356 

In 2010, Equifax hired David Webb as CIO following Robert Webb’s retirement. 357 Then 
in 2013, Susan Mauldin took over the CSO position after Tony Spinelli left Equifax. 358 The 
company did not revert the IT organizational structure back to its original form despite multiple 
discussions between David Webb and Equifax leadership to do so (see Figure 11). 359 



Figure 11: Equifax IT Organizational Structure (2013 - Sept. 2017) 

Webb had multiple conversations about the structure with CEO Richard Smith and Chief 
Legal Officer John Kelley, and one with Susan Mauldin. 360 Webb testified: 

Q. Did you ever bring that up when you were at Equifax that the CSO 
should report to you as CIO? 

A. I did. 

Q. Can you give us details? When did you first bring that up? Who did 
you bring it up to? What were the discussions like? 

A. A couple of occasions when this issue came up. Right after I had 
started in my role with the company, I asked the question on why it 
was the way it was, and ... I really sought to understand the 


355 Payne Transcribed Interview at 68. 

356 Webb Transcribed Interview at 108-09. 

357 Id. at 7, 81. 

358 Mauldin Transcribed Interview at 9; Webb Transcribed Interview at 81. 

359 Webb Transcribed Interview at 108-09. 

360 Id. 


56 











structure. And given I was new in the role and had plenty on my 
plate, I just felt that was acceptable. 

The ultimate, the final discussion, actually, was probably 2 weeks 
before I retired when we actually did it, finally agreed that we would 
move the Security function under IT. And that was a conversation 
that I had with [CEO Richard] Smith and with the person who - 
yeah, so it was [Smith] and one other person from the leadership 
team. And we made a decision that we would actually look for a new 
CSO at that time. 

Q. And in the previous conversations you had, was that also with the 
CEO? 

A. As well as with the head of security - person responsible for security 
[John Kelley]. 361 

Webb asked Mauldin whether she would support moving the CSO back under the CIO. 362 
Webb testified: 

A. I actually did have a conversation one time with Susan Mauldin 
about whether she thought it was a better option. 

Q. And what was her response? 

A. I think she was comfortable with where it was. 363 

Mauldin testified about her knowledge of the origin of the particular organizational 
structure. She stated: 

[T]hat structure was in place ... at the time I arrived at Equifax. It was the 
structure that was there with the person that was my predecessor. And I 
knew that it was that structure going in. I didn’t question it. I was okay with 
it. And so it was just what was there, and so it continued with what it had 
been. 364 


When asked if Equifax’s organizational structure from 2013 to 2017 was typical for a 
large and complex organization, Webb simply said “No.” 365 Webb affirmed “[i]t’s more typical 
for the CSO to report to the CIO.” 366 
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The final conversation about the organizational structure between Webb, Smith, and 
Kelley occurred just two weeks before Webb took an early retirement from the company in mid- 
September 2017. 367 During this meeting, the decision was made to move the Security 
organization back under the CIO. 368 

On September 15, 2017, Equifax announced Webb and Mauldin’s retirement and named 
interim Equifax officials to temporarily fill both positions. 369 Equifax stated its interim CSO Russ 
Ayres would report to the interim CIO Mark Rohrwasser. This reporting structure continued until 
February 2018, when Equifax announced Jamil Farshchi as its new Chief Information Security 
Officer. 370 Farshchi reports directly to current Equifax CEO Mark Begor. 

2. Operational Effect of the Organizational Structure 

The functional result of the CIO/CSO structure meant IT operational and security 
responsibilities were split, creating an accountability gap. At the time of the breach, Equifax’s 
organizational structure did not facilitate a strong CIO and CSO partnership. Testimony 
demonstrated the disconnect between IT operations and security. 

Webb distanced himself and his organization from Security during his interview with the 
Committee, and often referred the Committee to Mauldin for answers. 371 For example, he 
testified to how the topic was approached at senior leadership team meetings, stating: 

[L]et me try and separate information technology from the security 
component, because I can speak better to the IT function. 

We had quarterly business reviews with the entire senior leadership team 
where we would talk about the key activities that we were undertaking on 
behalf of the business units. We would talk about the key initiatives that 
were in flight. We would talk about potential projects that were going well 
and potential projects that were not going so well. We would try to keep 
them informed. And then we would also talk about . . . what was on the 
horizon from a technical perspective. So we’d try to provide . . . general 
education about information technology and what we were working on. 

The security piece of it was typically covered within the legal review. And 
so if you wanted to understand what was being discussed there, I think you 
would need to talk to Susan and to the legal counsel about the content of the 
material that was being presented. That would be my recommendation. 372 
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Mauldin similarly testified about this division of responsibilities. For example, she stated: 


Q. So the scope of your responsibility was . . . company-wide? 

A. Yes, it was. 

Q. Including the systems in Alpharetta, Georgia, the folks that were 
responsible for security would have reported to you. Is that correct? 

A. Well, to just be clear, when you say that, what I think of - and let 
me see if this is answering your question. So the Security team had 
global responsibility and would establish the policies and the 
standards, or the rules, which the IT team would operate under. 

And so when you say the systems in Atlanta, that makes me think 
of the IT team, who is responsible for following the rules that the 
Security team has set forth. So we had a working relationship where 
security would establish the rules and work with the IT team to 
implement those rules. 

Does that answer the question? 

Q. Sort of. Who would enforce those rules then? Who would make sure 
that the compliance requirements were met? 

A. That was a . . . combination of responsibilities, certainly with IT, to 
make sure that their staff was held accountable to the rules and the 
policies that were set forth. IT also - or I’m sorry, Security also had 
proactive processes that we used to continually scan for and look for 
risk for any areas where perhaps there might be a gap or something 
had not been followed correctly. 373 

Witnesses agreed good communication between and within the IT and Security 
organizations was essential, though all witnesses the Committee interviewed noted frustrations 
with the process. Webb said, “clearly, in order for that [line of reporting] to function as a 
structure, it requires a high degree of coordination and communication.” 374 Webb testified about 
the reporting structure’s effect on cybersecurity incidents at the company, stating: 

[W]hen you have multiple lines of communication across organizations, 

things happen slowly. So speed to execution is slower, but that doesn’t mean 

the outcomes are different. It just takes longer to get to decisions. 375 
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In April 2016, frustrations with the company’s IT governance were high when an internal 
reorganization within IT occurred, and the IT risk and compliance group was moved under the 
direction of Payne. 376 As a result, Payne received responsibility for access management, IT-audit 
coordination, and IT-Security coordination. 377 

Payne said when he took over the IT risk and compliance group in 2016 he met with 
Chief Legal Officer John Kelley, who was the head of security and Mauldin’s supervisor, to 
discuss how IT could better support the Security team. 378 As a direct result of the meeting, 
monthly IT and Security meetings were initiated in April 2016. 379 Kelley, Mauldin, Webb, and 
Payne participated in these meetings in an effort to better coordinate functions between the IT 
and Security teams. 380 

Payne said the purpose of these monthly meetings was to ensure senior leaders had 
visibility on “all the things that Security was asking IT to do, and IT was being responsive to the 
things that Security was asking us to do.” 381 Payne said he initiated these meetings “because there 
appeared to be some frustration there on J’s [Kelley] part as to the progress that was being made 
on certain things .... that IT wasn’t doing for Security” fast enough. 382 He testified: 

[Kelley] did have a list. He never shared that list with me. But anyway, we 
developed - we started meeting and we had somewhere between, I would 
say, 10 and 20 different initiatives we identified that we wanted to track 
through that process, and we started tracking those. 383 

There were a variety of initiatives tracked at these monthly meetings, including patch 
management and digital certificate deployment. 384 Both of these initiatives turned out to be key 
systematic challenges leading to the 2017 data breach. 

3. Equifax’s Organizational Structure Allowed Ineffective IT Coordination 

Depending on the organizational reporting structure a company adopts the CSO and CIO 
roles can be conflicting or complementary. At Equifax, the IT and Security organizations were 
siloed, meaning information rarely flowed from one group to the other. Collaboration between IT 
and Security mostly occurred when required, such as when Security needed IT to authorize a 
change on the network. Communication and coordination between these groups was often 
inconsistent and ineffective at Equifax. 

One example of the lack of IT-Security coordination was that multiple and incomplete 
software inventory lists were kept separately by each group. Both IT and Security rely on 
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accurate inventory lists to operate, patch, and monitor the company’s IT systems. In a more 
collaborative environment, these lists would be merged into a single master document with both 
teams working together to complete the inventory. 385 Equifax did not have an optimal IT 
management environment. 

Equifax’s CEO did not prioritize cybersecurity. Webb testified Smith held quarterly 
senior leadership team meetings where IT security was just one of the many topics discussed. 386 
Smith confirmed these meetings only occurred quarterly. 387 Mauldin did not regularly attend 
these meetings because the CSO was not considered part of the senior leadership team during her 
tenure. 388 As a result of this meeting cadence, Smith was not receiving timely information on 
Equifax’s security posture. The information he did receive was presented by Kelley - the head of 
the legal department who did not have any background in IT or security - rather than Mauldin, 
the company’s IT security expert. 389 

Equifax’s organizational structure prior to the breach, with the CSO reporting to legal, 
was outside the norm. 390 A 2017 report by the Ponemon Institute found 50 percent of CSO survey 
respondents report to the CIO. 391 In contrast, Ponemon found only 8 percent of CSOs report to 
the general counsel and 4 percent report to the CEO. 392 A PricewaterhouseCoopers study 
published in 2018 concluded it is more common for the CSO to report directly to the CEO or 
board of directors, rather than to the CIO. 393 The study found 24 percent of CSO survey 
respondents report to the CIO, while 40 percent report directly to the CEO. 394 

A number of IT management changes have occurred since the company announced Webb 
and Mauldin’s retirements in September 2017. First, Equifax renamed the CSO as the Chief 
Information Security Officer (CISO). On February 2, 2018, Equifax appointed Jamil Farshchi as 
its CISO. 395 Equifax announced a revised reporting structure elevating the CISO to directly report 
to the CEO. 396 Next, Equifax changed the CIO title to Chief Technology Officer (CTO). On June 
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15, 2018, Equifax appointed Bryson Koehler as its CTO. 397 The CTO continues to directly report 
to the CEO. 

Equifax’s recent IT management actions show the company now recognizes 
cybersecurity is a core business function. Making the CISO and the CTO peers on Equifax’s 
senior management team should result in a more productive and collaborative approach to 
security. 

B. Equifax Had Serious Gaps between IT Policy Development and Execution 

At the time of the breach, Equifax’s internal IT management process failed to establish 
clear lines of accountability for developing IT security policies and executing these policies. 
There was a division of responsibilities between the IT and Security departments to address IT 
policy development and operational implementation. 398 Webb testified: 

Q. Did you make any IT security operational decisions? 

A. Typically, the way the work was separated between the 
organizations, the Security organization would define the ‘what.’ 

They had a security engineering function. The IT guys were 
responsible for deploying the technology that [Security] wanted into 
the infrastructure, and then [Security] would be provided the ability 
to configure the software, all the solution, the appliance, whatever it 
might be, in accordance with their desires. 

Q. So who ultimately made security decisions? When you, for example, 
you were trying to decide how to patch a software vulnerability, 
when, where, how to make that happen? 

A. So, again, the ‘what’ and the ‘how’ was segregated. So from a policy 
perspective, the policy was typically defined within the Security 
organization. The IT organization would have the opportunity to 
review that and to ensure that the policy could be conformed with 
and it made sense, given the infrastructure and the environment. And 
then, again, it varied by . . . security product. But, typically ... the 
IT organization would be responsible for ensuring that, in the case, 
for example, of a patch, that the patch was applied. Because the 
Security organization could not effect changes to the infrastructure 
directly. They could operate software, but they could not install the 
software and they could not change the infrastructure. 


397 Alex Hickey, IBM’s Bryson Koehler Becomes Equifax CTO , CIO Dive (June 15, 2018), 
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So there was a joint responsibility. One for policy and then one for 
implementation. Security was then responsible for ensuring that the 
work was completed properly. 

Q. So you would implement at the direction of the [CSO]? 

A. That’s correct. 399 

1. Equifax’s Patch Management Process 

The disconnect between policy development and execution was especially pronounced 
with respect to Equifax’s Patch Management Policy. This policy defined roles and 
responsibilities, and established guidelines for the patching process. 400 The policy designated two 
Equifax employees to lead implementation, the policy manager and the senior leadership team 
owner. Webb stated the responsibility of the policy manager was to “ensure that all of the work 
we needed to do was tracked,” and the senior leadership team owner’s role “was to ensure that 
the organization conformed to the policy.” 401 

The 2016 version of the Patch Management Policy was in effect when US-CERT 
distributed the March 8, 2017 Apache Struts vulnerability alert. 402 Under the 2016 version, David 
Webb was the senior leadership team owner and Susan Mauldin was the policy manager. 403 

The 2016 Patch Management Policy identified the roles and responsibilities for various 
individuals in regards to applying a patch in an environment within their portfolio (see Figure 
12) 404 Under the policy, the business owner is informed of the need to patch and is responsible 
for approving downtime so the patch can be applied. The system owner is responsible for 
applying the patch and the application owner is then responsible for ensuring the patch is applied 
properly. 405 According to testimony provided to the Committee, while roles and responsibilities 
were defined in the policy, there were no official designees for these roles. 


399 Webb Transcribed Interview at 15. 
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401 Webb Transcribed Interview at 19-20. 
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Security becomes aware of need to patch a known vulnerability. 

• Security sends an email to the GTVM listserv, informing 
personnel responsible for IT assets of the need to patch this 
vulnerability and the timeframe for patching. Personnel 
responsible for an IT asset include the Business Owner, System 
Owner, and Application Owner. 

• Critical vulnerabilites must be patched within 48 hours. 


System and Application Owners are required to keep an up-to-date 
software inventory, including source and version number, for the IT 
assets each are responsible for. 

• If a patch alert from GTVM affects a software version in use on 
their assigned IT asset, then the System and Application Owners 
know to inform the Business Owner of the need to patch. 




The Scheduler receives patching requests from System and 
Application Owners. The Scheduler notifies appropriate parties of 
the confirmed date the patch will be applied. 

• The Business Owner approves production downtime to install the 
patch. 


The System Owner ensures the patch is applied within the 
timeframe designated by GTVM. 

• Following the installation of a critical patch, Security is required 
to rescan the external and internal environments within 48 hours 
to confirm no unpatched vulnerabilities are still present. 


Figure 12: Critical Vulnerability Patching Process under 2016 Patch Management Policy 406 

a. Patching Process Failed Following March 9, 2017 Apache Struts Alert 

The Security and IT teams were made aware of the need to patch Apache Struts within 
the Equifax systems through an email alert distributed by the Global Threat and Vulnerability 
Management (GTVM) team. 407 Each patch is given a criticality classification by vendors (e.g., 
low, moderate, high, or critical), so users are aware of how quickly the patch should be 
applied. 408 According to Susan Mauldin, the Security team could alter the vendor’s classification, 
but normally Equifax adopted the vendor’s classification. 409 

The Apache Struts patch was classified as a critical patch. 410 Under Equifax’s policy, the 
Apache Struts patch should have been applied within 48 hours of the patch’s dissemination on 
March 9, 2017. 411 Equifax did not patch this particular vulnerability within 48 hours. The Apache 
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Struts software running on the ACIS system was not patched until discovery of the breach in late 
July 2017. 412 Equifax officials confirmed the source of the initial intrusion was the exploitation of 
this Apache Struts vulnerability. 413 

To determine who was responsible for applying the Apache Struts patch to the ACIS 
system, the Committee asked Payne to identify employees by the roles listed within the Patch 
Management Policy. Specifically, the Committee asked him to identify the business owner, 
system owner, and application owner responsible for the ACIS system. Payne testified: 

Q. So the application owner for ACIS would have been who or what 
organization? 

A. So I don’t believe there was any explicit designation of application 
owners. If you ask me who I think the application owner would be, 

I can probably answer that. 

Q. That would be good. 

A. So I believe - in my view, the application owner for ACIS - for the 
online dispute portal component because that was a component - 
was [Equifax IT Employee 1] and probably also [Equifax IT 
Employee 2]. So again, I don’t believe there were any specific 
designations, so these would be - if someone asked me, "Who do 
you think they would be?" that would probably be the two people I 
would look at. 414 

* * * 

Q. So would they have been the people that should have received the 
GTVM email saying you need to patch? 

A. Yes, as well as the system owner. 

Q. Okay. Who’s the system owner? 

A. So again, those people weren’t designated. So I can - 

Q. Tell me who you think? 

A. My guess would be that the system owner would be someone in the 
infrastructure group probably under [Equifax IT Employee 3], 


412 Payne Transcribed Interview at 12-13. 

413 Briefing by Mandiant, to H. Comm, on Oversight & Gov’t Reform & H. Comm, on Science, Space, & Tech. 
Staff (Aug. 17, 2018). 

414 Payne Transcribed Interview at 22. 


65 



since...as part of the global platform services group, his team ran 
the sort of the server operations. 415 


* * * 

Q. If you look at the definition ... it says: System owner is responsible 
for applying patch to electronic assets. 

So would it be the case that [Equifax IT Employee 3] would have 
been the one responsible for actually applying the patch to ACIS? 

A. Possibly. Again, we are talking at a level that I wasn’t involved in, 
so I can’t talk specifically about... who actually had physical access 
to that system to be able to install the patch. 416 

Payne said he did not have a specific role or responsibility to patch the ACIS system as a senior 
executive, stating he was a “manager of managers who managed teams that would fulfill roles 
laid out in the policy.” 417 

Each witness was asked if redundancies existed to ensure the correct individuals received 
the GTVM alert to patch a specific vulnerability. Mauldin and Webb both testified there were no 
redundancies within the patching process to ensure the proper individuals were notified of the 
need to patch. 418 Mauldin testified: 

Q. In terms of the patching policy, I understand there was this [GTVM] 
email that went out. Was there any kind of redundancy or follow-up 
that would have kind of pinged the person responsible to take action 
that you know of? 

A. Not that I recall. 

Q. I’m trying to understand if that [GTVM] email was the only alert 
that the owners of the system would have gotten. 

A. So . . . are you asking if the Security team would repeat the alert? 

Q. To your knowledge, based on the process, was there any type of 

repeat about the initial alert that went out? Maybe it was Security; 
maybe it was IT. 

A. Well, I do know that - what I was told by the leader of the [GTVM] 
team for that March 16th meeting, that the PowerPoint presentation 
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that they used for that meeting had a specific page . . . that 
highlighted the particular [Apache Struts] vulnerability again, and 
again stated ... if you’re using that version of Apache Struts, you 
must patch. And he also conveyed that they had a discussion about 
it on that [March 16 GTVM conference] call. 419 

Webb testified: 

Q. Were you aware of any other way to get the word out to Equifax, 
application owners, et cetera, besides this email to 400 individuals? 

A. No. 420 

Payne testified the Patch Management Policy required the system owner and application 
owner to subscribe to vulnerability distribution bulletins from external sources, such as US- 
CERT or a software vendor. 421 These distribution bulletins would notify the system owner and 
application owner of available patches. 422 As Payne stated, the lack of an official designation for 
system owner and application owner meant there was no mechanism for ensuring either person 
followed this subscription requirement. 423 

The lack of accountability and compliance efforts in the execution of Equifax’s patching 
process was a significant factor leading to the 2017 data breach. Webb confirmed the Patch 
Management Policy did not work in this case. He testified: 

Q. [I]n your opinion, did Equifax’s Patch Management Policy work in 
this case? 

A. I’d [have] to say no. 

Q. Why do you think that is? 

A. [W]hen I think about issues in technology, I think about it from a 
people process and a technology perspective. 

I think that the process was in place. I don’t think that the people 
necessarily conformed to the procedures. And I think there was . . . 
potentially a failure in technology. 424 
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b. Equifax Was Aware of Issues with the Patching Process 


Equifax leaders had notice of the many issues related to the patching process prior to the 
Apache Struts patching failure. In 2015, Equifax conducted an audit of its patch management 
process. This audit found a number of significant deficiencies within the patching process at 
Equifax. 425 The audit had eight detailed findings and corresponding recommended management 
actions for each finding (see Figure 13): 


425 Equifax, Patch Management Audit 3 (2015) (on file with Committee, EFXCONG-SSTOGR000122049 - 
EFXCONG-SSTOGROOO122056) [hereinafter 2015 Patch Management Audit], 
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Equifax 2015 Patch Management Audit Findings 426 


2015 Audit Findings 

Management Recommendations 

Complete By 

1 

Vulnerabilities were not remediated in a 
timely manner. 

Implement automated patching tools 
and retire legacy systems as quickly as 
possible. 

12/31/2016 

2 

Equifax lacked adequate asset 
management procedures. A 
comprehensive IT asset inventory, 
accurate network documentation, or a 
global view of IT infrastructure did not 
exist. 

Improve IT asset management controls 
to ensure a current and accurate 
inventory of all IT assets is available. 

6/30/2017 

3 

Systems were not patched in a timely 
manner. Most patches were applied 
reactively, after GTVM sent out an alert 
to patch, instead of proactively. 

Implement and enforce a proactive 
patching process. 

12/31/2016 

4 

Vulnerabilities were not adequately 
tracked, prioritized, and monitored to 
ensure timely remediation. An "honor 
system" was used to ensure patches are 
installed. No controls in place, such as a 
patching exception tracker, to escalate 
critical vulnerabilities not remediated in 
a timely manner. 

Create a centralized patch and exception 
process to assess, prioritize, and monitor 
all vulnerabilities that do not comply 
with Equifax policy. 

Long-term 
solution target 
2017 

5 

New systems, and changes to existing 
systems, were not required to be 
scanned for security risks prior to 
deployment. 

Modify change management procedures 
to require vulnerability scanning of 
assets prior to deployment. 

12/31/2015 

6 

Server hardening standards had not 
been developed for Windows systems. 

Document and publish Windows server 
hardening standards. 

3/31/2016 

7 

Patches were inadequately and 
inconsistently tested prior to 
deployment. 

Test all patches prior to deployment. 

6/30/2016 

8 

Patch Management Policy did not 
consider the criticality of an IT asset 
when determining the time frame for 
patch installation. 

Review all IT assets and classify risk; 
enhance the Patch Management Policy 
to include more stringent patching 
requirements for high risk systems. 

12/31/2015 


Figure 13: Equifax 2015 Patch Management Audit Findings 


Equifax did not remediate many of the issues identified in the 2015 audit prior to the 
2017 breach. For example, the company had not implemented automated patching tools to 
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establish redundancies in the patching process, which could have alerted the company to the 
vulnerable software on the ACIS system. 

The 2015 audit identified asset management controls as an area in need of improvement. 
In order to effectively implement a patching process, an entity must have a comprehensive 
inventory of IT assets. If an organization does not know what is on its networks, it will not know 
where patching is needed. As of July 2017, the company did not have a comprehensive and up- 
to-date inventory of its IT assets or the software operating on its systems. 427 Equifax employees 
had previously identified Apache Struts on the ACIS application during the remediation of 
another Apache Struts vulnerability in January 2017. The company failed to document and track 
this information, and was surprised to discover the presence of Apache Struts within this 
environment in July 2017. 428 

2. Equifax’s Certificate Management Process 

Another example of disconnect between policy development and implementation relates 
to Equifax’s certificate management process. The company was distinctly aware it lacked a 
process for updating SSL certificates. Security employees discussing the plan for uploading the 
Apache Struts signature rule into the intrusion prevention system noted a broader problem with 
updating SSL certificates. Specifically, one employee said Equifax needed to (1) define who 
owns SSL certificate “care and feeding” and (2) create and validate a SSL certificate update 
process. 429 

Equifax knew of the potential security risks posed by expired SSL certificates. An 
internal vulnerability assessment tracker entry dated January 20, 2017 stated “SSLV devices are 
missing certificates, limiting visibility to web based attacks on [intrusion prevention system].” 430 
At the time of the breach, however, Equifax had allowed at least 324 of its SSL certificates to 
expire. 431 Seventy-nine of the expired certificates were for devices monitoring highly business 
critical domains. 432 Had Equifax implemented a certificate management process with defined 
roles and responsibilities, the SSL certificate on the device monitoring the ACIS platform would 
have been active when the intrusion began on May 13, 2017. The company would have been able 
to see the suspicious traffic to and from the ACIS platform much earlier - potentially mitigating 
or preventing the data breach. 


Equifax knew its patch management and certificate management processes were deficient 
and action was needed to make the processes effective. The Apache Struts patching failure 
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illustrates the disconnect between policy development and operational execution. The Patch 
Management Policy included defined roles for personnel responsible for patching activities, but 
Equifax failed to designate employees to fill these roles. 433 Equifax knew the patching process 
operated on “the honor system,” yet failed to establish a mechanism to ensure accountability and 
compliance. 434 

If Equifax had implemented and consistently executed an effective patch management 
policy, the 2017 data breach would have been preventable. Webb agreed with this conclusion. 

He testified: 

Q. So would you agree that if Equifax had effectively patched the 
system within the 48 hours, this potentially would have been a 
preventable incident? 

A. Yes. 435 

C. Equifax Ran Business Critical Systems on Legacy IT with Documented 

Security Risks 

Equifax faced increased security risks due in part to its complex legacy IT environment. 
Legacy technology is both a security issue and a hindrance to innovation, and legacy systems are 
tough to secure because they are often extremely difficult to patch, monitor, or upgrade. 436 
Equifax ran a number of its business critical systems on legacy infrastructure, including the 
ACIS system compromised by attackers during the 2017 data breach. 

1. Equifax’s Company Expansion Created Highly Complex IT Infrastructure 

Richard Smith embarked on an ambitious growth strategy when he became CEO in 
2005. 437 Smith utilized acquisitions as the primary method to expand the company’s market 
value. 


Payne testified to the complexity of the company’s technology infrastructure. 438 He said 
Equifax had grown significantly over the last ten years with a number of acquisitions and 
integrations adding to the complexity of the technology situation, making the application of 
security methodologies and tools even more challenging. 439 Payne stated: 

[T]he company had been very acquisitive. If you look at the growth of the 
company certainly since I was there ... it grew significantly over the 
10 years or the 7 years, but even before I started, it was a growth spurt. 
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There was a huge amount of acquisitions, a lot of integrations going on. So 
just kind of. . . bringing those new systems in and getting them under some 
sort of management structure is . .. management, not leadership, but getting 
consistency in the way that all that technology’s managed is a - while all at 
the same time building platforms for growth and standardization for the 
future, it’s a big task. 440 

Equifax had custom-built a number of its IT systems. Payne stated: “Here, they built a lot 
of systems. And so when you build the systems, it adds more complexity. And you can’t go out 
and buy a dispute and disclosure system, you have to build it, right? So that just adds - all of that 
adds complexity.” 441 

2. Composition of the Legacy ACIS Environment 

One of the custom-built legacy IT systems used by Equifax from the 1970s through 2017 
contained the ACIS environment, an internet-facing business system individuals use to dispute 
incorrect information found within their credit file. 442 During the 2017 breach, Graeme Payne 
was responsible for managing the ACIS environment for IT. 443 Payne testified: 

ACIS was the dispute and disclosure system that was built in . . . the late 
1970s to address the requirements of the [Fair Credit Reporting Act]. And 
under that legislation, credit bureaus are required and data furnishers are 
required to have a process in place to both disclose information to 
consumers, but also to manage disputes on consumers’ credit files.... 

And so we needed a system back then to manage that process. And so way 
before I even started at Equifax the system was built. When I moved into 
this position in 2014, we were still running that [ACIS] system that had been 
built way back then. 444 

One concern for Equifax’s continued use of legacy technologies and applications was the 
dwindling number of employees with knowledge of how to operate and maintain the aging 
system. According to Payne, the company was “lucky that we still had the original developers of 
the [ACIS] system on staff.” 445 He testified: 

A. [W]e had a risk of an aging workforce that supported it [ACIS] that 
could potentially walk out of door and we’d have a lot of knowledge 
go at the same time. 
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Q. The original developers were still on staff. How . . . many people 
are we talking about? 

A. A couple of people. 446 

The ACIS system was extremely complex and had been modified many times. 447 When 
asked to explain the ACIS environment components, Payne testified: 

[W]hen we talk about a system obviously there’s a technology stack of 

applications, database, middleware, and operating system and network . . . 

. In addition, just to add more complexity, ACIS had many different 

components as well. So there was a stack and there was many components, 

so it was wide and deep in different ways. 448 

Both the hardware and operating system supporting the ACIS platform were older, legacy 
technology. 449 Webb described legacy technology as “an environment that was aging, and . . . 
that was scheduled to be retired at a future date.” 450 The ACIS application was housed on servers 
in Equifax’s Alpharetta, Georgia data center made by the now-defunct company Sun 
Microsystems, which Equifax referred to internally as the “Sun servers.” 451 

The Sun servers run the Solaris operating system, which is a mixed open-source 
operating system developed by Sun Microsystems. 452 This means the operating system ran a 
custom combination of proprietary (closed source) and open source software. Apache Struts is an 
open-source web application framework. 453 Specifically, Apache Struts is middleware, which is a 
software that runs between an operating system and an application, and allows the application to 
successfully run on the operating system. 454 

According to Webb, “Apache Struts is used in a number of the legacy environments 
where [Equifax was] running applications on the Sun server platforms.” 455 He testified: 

Q. How widely was the Apache Struts software used within the Equifax 
organization? 

A. It was limited to the Sun server environment, and there were - we 
were down to - you have to realize that we were running thousands 
of servers, and we were down to less than 200 servers at that point 
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in time. So Sun servers, I can’t specifically tell you how many were 
running different versions of Struts because there were many 
different versions of Struts. 

Q. Where were the Sun servers primarily located? 

A. These servers were located in our data center in Alpharetta, Georgia. 

Q. Do you recall how many servers there are? 

A. It’s less than 200 in total, in terms of Sun servers, but I don’t - I 
can’t tell you how many were running Struts, or more specifically, 
how many were running the specific Struts version where the 
vulnerability occurred. 456 

3. Equifax Did Not Know What Software Was Used Within Its Legacy 
Environments 


As Webb’s testimony shows, Equifax did not have a comprehensive picture of the 
software used within the ACIS application. The company’s lack of knowledge about the software 
used within its legacy IT environment was a key factor leading to the 2017 data breach. 

Equifax’s Patch Management Policy relied on its employees to know the source and version of 
all software running on a certain application in order to manually initiate the patching process. 
Therefore, the lack of visibility regarding Apache Struts use in the Equifax environment greatly 
increased the likelihood an unpatched vulnerability could go unnoticed. 

Payne, who had ultimate responsibility for the ACIS environment, stated “at the time that 
the breach was announced, I wasn’t even aware that we were mnning Apache Struts in the 
particular environment.” 457 He testified he became aware Apache Struts was running on the ACIS 
platform on “July 30th, when Susan Mauldin called me to ask [for] my help in trying to get the 
system shut down.” 458 When asked how widely Equifax used Apache Struts software, Mauldin 
stated “I don’t know.” 459 

Witnesses provided conflicting testimony about whether Equifax kept a complete 
inventory of Apache Struts software use within the company’s systems. Mauldin was not 
confident about whether a single registry tracking Apache Struts use was available to all 
employees. She referenced the possibility of multiple inventory lists, saying the Security and IT 
teams kept separate lists. Mauldin testified: 

Q. Did Equifax have an inventory of this type of software? Would it 
have been part of Equifax’s software inventory? 
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A. [I] think that there were various inventory lists around, and I know 
that in Security, we had our own list .... we had a list that we 
worked on. I’m not sure what IT had. 

Q. Did you have different lists? 

A. I think that there were multiple lists around that people worked 
from. 460 

Payne discussed an ongoing initiative to develop a comprehensive inventory of IT 
systems, including all components found within the technology stack for each system. 461 He 
stated “inventories existed, but they weren’t comprehensive.” 462 Regarding whether Equifax 
placed an appropriate amount of attention on asset management, Payne testified: 

So I can comment on the 2011 to 2014 period, so where I had responsibility 
for it. I think . . . there was investment going on because we had people and 
we had processes. 

But they weren’t - we needed - in my view, we needed to do more and we 
had requested some additional investment do more, but we didn’t get, 
initially anyway, we didn’t get some of those requests funded. 

Over time we did start to invest more in IT asset management and discovery, 
but it was, as I say, it was a complex area. Inventories existed, but they 
weren’t comprehensive and they didn’t contain all the data that you 
would like to have in terms of all the attributes of all the systems that are 
running. 

And it was particularly hard in these older systems, right, because you can 

- in a more modem system you have got agents and scanners that can 
actually gather that information because that sort of - the software is more 

- is known and some software can tagged and all sorts of things. 

If you are talking about custom built applications like ACIS, it is hard for 
those tools to even identify all the components of those systems. So that 
makes it - that just adds another level of complexity. 463 

4. Security Concerns Specific to the ACIS Legacy Environment 

The ACIS dispute system is used by millions of consumers to challenge potentially 
incorrect information found within their Equifax credit report information which could result in 
an individual being denied a loan or receiving a higher interest rate. Equifax knew about the 
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security risks inherent in its legacy IT systems, but failed to prioritize security and modernization 
for the ACIS environment. 464 

A Security employee identified six major security concerns for the ACIS environment in 
an August 17, 2017 email to Mauldin and Payne. 465 Mauldin requested this assessment in 
preparation for an August 2017 meeting with senior leadership to discuss the data breach 
investigation. 466 

The six major security concerns, detailed below, were not newly discovered in August 
2017. In fact, the 2015 audit of patch management procedures identified three of the six issues 
for action. 467 


Security Concern 1 . There is no segmentation between the Sun 
application servers and the rest of the [Equifax] network. An 
attacker that gains control of the application sender from the 
internet can pivot to any other device, database, or server within the 
[Equifax] network, globally , 468 

Proper network segmentation “lays the groundwork for controls which protect against 
lateral movement on the network by malicious software and actors, preventing a potential 
infection or compromise from spreading across the network.” 469 If an attacker breaches the 
network perimeter of an organization with a flat, unsegmented network, they can move laterally 
throughout the network and gain access to critical systems or valuable data. 470 

The 2015 audit found the legacy Solaris environments, including ACIS, lacked proper 
segmentation. 471 According to interim CSO Russ Ayres, the ACIS application only needed access 
to three databases to function, but it was unnecessarily connected to many more. 472 Mandiant 
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stated network segmentation would have mitigated the amount of data the attackers were able to 
access. 473 


Both Mauldin and Payne testified they were unaware the ACIS environment lacked any 
segmentation prior to the incident occurring. 474 Mauldin stated: “[W]ould it have mitigated the 
attacker’s actions? Yes, I think it would have.” 475 

Security Concern 2. File Integrity Monitoring (FIM) is not in place 
on either the application or webservers, which would allow for 
alerting and detecting of any unauthorized changes within either 
environment. 416 

File integrity monitoring (FIM) is a security process to detect whether operating system, 
database, and application software files have been tampered with. 477 The majority of external 
cyberattacks involve changes to IT systems and configurations. FIM detects and alerts to 
potentially unauthorized changes on the network, such as the installation of a web shell serving 
as a backdoor into the company’s system. 478 Mandiant stated FIM could have detected the 
creation of the 30 web shells within the Equifax network. 479 Mauldin testified she was unaware 
FIM was not in place within the ACIS environment. 480 

Security Concern 3. The Sun systems have a shared file system 
across the environment that allows for access to any of the 
administrator files from one system to the next. This allows for any 
notes or configuration files from one system to be accessed from any 
other system. 4 *' 

File sharing across systems is a highly vulnerable practice, especially without properly 
set access permissions. 482 A system administrator should develop file access permissions to only 
allow the necessary, authenticated users to access certain files - especially configuration files 
which may contain sensitive security information. Best practices dictate the “principle of least 
privilege,” which restricts the rights and access of a user to the minimal amount necessary to 
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perform their role. 483 In addition, account access across separate file systems should be limited 
and monitored. 484 

An Equifax vulnerability tracker found the legacy Solaris operating system on one of the 
compromised ACIS servers “accepts network file system (NFS) client requests from any source 
port. By requiring [NFS] requests come from privileged source ports, the server can potentially 
avert attacks from systems on which the attacker does not have full administrative access.” 485 

If Equifax had limited access to sensitive files across its systems, the attackers may not 
have found the stored application credentials used to access sensitive databases outside the ACIS 
environment. 486 


Security Concern 4. Logging of the web servers is only retained for 
14 days, and 30 days online, making it difficult, to impossible, to 
reconstruct any malicious activity . 487 

A log is a record of the events occurring within an organization’s systems and 
networks. 488 Fogs are essential for forensic investigations into security incidents because they 
allow the organization to recreate the steps an attacker took within its networks. Fogs are only 
useful as long as they are retained. Targeted advanced attacks to the financial sector take an 
average of 98 days to detect. 489 The National Institute of Standards and Technology (NIST) 
recommends retaining logs for high impact systems for three to twelve months. 490 Threat 
intelligence firm Crowdstrike similarly recommends three to twelve months, based on how 
useful the type of log data is for conducting an investigation. 491 

Mauldin dismissed the importance of extended log retention for the internet-facing ACIS 
platform. She testified: 

A. Well, it’s not necessarily too short. I think that . . . logs and the 
retention of them is always an ‘it depends’ kind of answer. It 
depends on .. . what they’re used for and how much space they take 
and those kinds of things. So there are various strategies with logs 
and it’s really, in my opinion, dependent on that environment. 
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Q. Well, depending on this ACIS environment, external-facing, is 14 
days/30 days sufficient, in terms of - 

A. I think it certainly could be sufficient. 492 

Due to the sensitivity of the data accessed by the ACIS system and the system’s 
connection to the internet, much of the security industry would disagree with Mauldin’s 
conclusion. Mandiant also recommended Equifax expand and improve its logging capability. 493 

Security Concern 5. A complete software inventory of the resources 
used within the application is not maintained. This requires a 
complete code review to identify any potential weaknesses, rather 
than rapid identification of individual component vulnerabilities, as 
the individual open source components are not well understood or 
documented. 494 

The lack of a comprehensive asset inventory was also documented in the 2015 audit. 495 
The audit specifically found: 

A comprehensive IT asset inventory does not exist nor does accurate 
network documentation. A global view of the IT infrastructure does not 
exist across the organization. The lack of an accurate asset inventory makes 
it difficult to ensure all assets are adequately patched and configured. It also 
makes it difficult for [Security] to ensure [they are] vulnerability scanning 
all assets. Without a firm understanding of the status of all IT assets, 
ensuring the security and stability of Equifax systems is extremely 
difficult. 496 

When questioned, Mauldin seemed to dismiss the importance of a comprehensive 
inventory for the Security team despite the 2015 audit finding. Mauldin stated the lack of an 
inventory would not necessarily prevent the Security team from “doing our job properly.” 497 She 
testified: 

Q. Are you surprised . . . there’s not a complete inventory in this type 
of environment? 

A. I wouldn’t say that I’m surprised, no, not necessarily. But that - that 
would not, from a security perspective, keep us from doing our job 
properly. 
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Q. Wouldn’t you have to know, though, that [the] Apache Struts 
software was operating in this environment, and if you didn’t have 
an inventory, you wouldn’t know? 

A. Well, we might not know, but, again, I don’t think that not knowing 
that would prevent us from doing the right things from a security 
point of view. 498 

It is critical for an organization to know what assets are present within its IT 
environments to make accurate and informed risk determinations - such as when, and how, to 
patch a vulnerable system. As the Office of Personnel Management’s Inspector General warned 
prior to the 2015 OPM data breach, “failure to maintain an accurate inventory undermines all 
attempts at securing OPM’s infonnation systems.” 499 

Responsibility for the proper management of IT risk must be shared between the IT and 
Security teams. It was Security’s responsibility to detect vulnerabilities present within the 
Equifax environment. Security was unable to do this for ACIS because Equifax did not keep 
track of the presence of Apache Struts within the ACIS application. Therefore, the lack of a 
comprehensive inventory did prevent Security from properly doing its job. 

Security Concern 6. Consistent and timely patching of [the legacy 
Sun/Solaris] systems as a general observation is a concern. 500 

Equifax knew its patch management process was ineffective. 501 The 2015 Patch 
Management Audit concluded “vulnerabilities were not remediated in a timely manner,” and 
“systems were not patched in a timely manner.” 502 In short, Equifax recognized the patching 
process was not being properly implemented, but failed to take timely corrective action. 

*** 

Mauldin stated Equifax was in the process of making the ACIS application Payment Card 
Industry (PCI) Data Security Standard (DSS) compliant when the data breach occurred. 503 PCI 
DSS requirements apply to any entity that stores, processes, and/or transmits cardholder data. 504 
PCI preparation, which would have largely addressed the security concerns flagged in the 
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employee’s email to Mauldin, began in August 2016 and was scheduled to be completed by 
August 2017. 505 

PCI DSS compliance requirements include: the use of file integrity monitoring; 506 strong 
access control measures; 507 retention of logs for at least one year, with the last three months of 
logs immediately available for analysis; 508 installation of patches for all known vulnerabilities; 509 
and maintenance of an up-to-date inventory of system components. 510 

Mauldin testified the PCI DSS implementation “plan fell behind and these items did not 
get addressed.” 511 She stated: 

A. The PCI preparation started about a year before, but it’s very 
complex. It was a very complex - very complex environment. 

Q. A year before, you mean August 2016? 

A. Yes, in that timeframe. 

Q. And it was scheduled to be complete by August 2017? 

A. Right. 

Q. But it fell behind? 

A. It fell behind. 

Q. Do you know why? 

A. Well, what I recall from the application team is that it was very 

complicated, and they were having - it just took a lot longer to make 
the changes than they thought. And so they just were not able to get 
everything ready in time. 512 

5. Modernization Efforts Underway at the Time of the Breach 

Equifax recognized the inherent security risks created by continued operation of its 
legacy IT systems. 513 For example, Equifax decided to build out completely new systems rather 
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than continue to reactively implement new security methodologies and tools - some of which 
were not compatible - into the legacy systems. 514 Payne testified: 

[T]rying to apply a lot of these security methodologies, approaches, tools, 
and technologies and so on...it’s like trying to repair an old house, right? . 

.. [Y]ou can work on maybe one room at a time, maybe you can have a plan 
of where you want to get to, but really the best thing’s probably just to knock 
down the house and start building again. And that was sort of the approach 
we were taking, right? We were building out new systems. We were 
building out new data centers. That was really going to be the ultimate way 
that you would - we would address what - the technology debt that had 
been sort of inherited, but. . . you do the best you can to put in place all the 
controls you could. 515 

Prior to the 2017 data breach, Equifax was building out a modernized software-defined 
data center in Carrollton, Texas under the name Project Bluebird. 516 In 2015, Webb initiated 
Project Bluebird to migrate all of the company’s applications off the legacy Sun servers because 
“threat vectors were changing too quickly and this [was] one way to mitigate risk.” 517 The new 
data center had “high degrees of automation and orchestration built into it... to address some of 
these modernization challenges [Equifax] had.” 518 Webb, Payne, and Mauldin were all 
significantly involved with the planning and operation of Project Bluebird. 

Equifax planned to move the ACIS application from the legacy servers to the Bluebird 
data center. When attackers infiltrated the Equifax network through the ACIS portal in 2017, the 
application was still operating on the legacy Sun servers. Webb testified: 

So within Equifax, we really had two environments. We had the 
next-generation environment, which was what we called Bluebird earlier, 
which was essentially state of the art and brand new. And then we had the 
legacy environments that were sitting with things that we knew we were 
going to move over. 

And there was a plan to move it over within - the total thing was probably 
another 3 to 5 years to get everything from legacy into the state of the art. 

Of course, by the time you move it, it’s now legacy. So that’s the - that’s 
the joy of being in technology. 519 

Webb testified regarding additional challenges with the modernization initiative Project 
Bluebird. He stated: 
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Q. What was the biggest impediment to moving the legacy over? 

A. Ensuring that the application doesn’t break when you move it, 
because old technologies can be difficult to port or to refactor. 

Q. What about cost concerns? 

A. It was not a cost concern. It was - really, if there is a - if there’s a 
constraint, it’s the domain expertise required to refactor the 
application, because you need experts who understand what the 
application does in order to put it in a new environment and do the 
same thing. 320 

In addition to the infrastructure migration, Equifax was building a replacement for the 
ACIS set of systems called the Consumer Care Management System (CCMS). 321 The CCMS 
project was underway prior to 2014, enduring multiple delays as the company prioritized the 
completion of other initiatives. 322 Payne testified: 

So there were definitely risks associated with the ACIS environment that 
we were trying to remediate and that’s why we were doing the CCMS 
upgrade. 

One of the biggest issues with ACIS was that, again, it was designed back 
[in the 1970s] to comply with the [Fair Credit Reporting Act]. Since then 
states, many, many states have created their own legislation regarding 
disputes and disclosures, and . . . these [rules] would change frequently. So 
every time we had a change in the rules, the legislation, we had to modify 
the system. And because the way the system was originally built, these rules 
were hard coded into the system. So we had to get in and modify the system. 

It was just - it was time consuming, it was risky . . . and also we were lucky 
that we still had the original developers of the system on staff. 

So all of those were risks that I was concerned about when I came into this 
role. And security was probably also a risk, but it wasn’t the primary driver. 

The primary driver was to get off the old system because it was just hard to 
manage and maintain. 323 


*** 

Every organization must decide its tolerance for risk. To manage risk, organizations 
should understand the l ik elihood an event will occur and its potential effects. Major security 
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investments are not necessarily required at an equal level across the enterprise, but business 
critical systems and extremely sensitive data do require greater levels of care due to the potential 
high degree of harm to the business and its consumers. 

Equifax was moving in the correct direction with Project Bluebird and CCMS, as the 
company began to recognize the risks posed by continued operation of its legacy IT systems. The 
company, however, did not move quickly enough because Equifax was still operating the ACIS 
platform on the legacy environment at the time of the breach in 2017. 
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VI. Equifax Remediation Efforts 


Following the discovery of the breach and immediate actions taken to stop the 
unauthorized access and exfiltration, Equifax’s focus turned to remediation. Equifax took several 
actions in the aftermath of the breach to remediate its security weaknesses. 

A. Mandiant’s Remedial Recommendations 

On September 19, 2017, Mandiant released a report detailing its findings from the 
forensic review of the breach. Mandiant concluded attackers had access to the Equifax system 
from May 13, 2017 until July 30, 2017. During this timeframe, attackers compromised two 
systems supporting the ACIS portal and multiple database tables. The attackers used thirty 
unique web shells and other reconnaissance efforts to access and exfiltrate data. Mandiant 
initially concluded 143 million U.S. consumers had their PII compromised as a result of the 
breach. Mandiant’s report contained eleven remedial recommendations for Equifax: 

1. Enhance vulnerability scanning and patch management processes and 
procedures; 

2. Reduce the scope of sensitive data retained in backend databases; 

3. Increase restrictions and controls for accessing data housed within 
critical databases; 

4. Enhance network segmentation, to restrict access from internet facing 
systems to backend databases and data stores; 

5. Deploy additional web application firewalls and tuning signatures to 
block attacks; 

6. Accelerate the deployment of file integrity monitoring technologies on 
application and web servers; 

7. Enforce additional network, application, database, and system-level 
logging; 

8. Accelerate deployment of a privileged account management solution; 

9. Enhance visibility for encrypted traffic by deploying additional inline 
network traffic decryption capabilities; 

10. Deploy additional endpoint detection and response agent technologies; 
and 

11. Deploy additional email protection and monitoring technologies. 524 

After ensuring the attackers no longer had access to Equifax systems, Equifax turned to 
implementing these remedial recommendations. On October 3, 2017, the day after the Mandiant 
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investigation concluded, former CEO Richard Smith appeared before a House Energy and 
Commerce Subcommittee regarding Equifax’s remediation efforts. Smith testified: 

In recent weeks, vulnerability scanning and patch management processes 
and procedures were enhanced. The scope of sensitive data retained in 
backend databases has been reduced so as to minimize the risk of loss. 
Restrictions and controls for accessing data housed within critical databases 
have been strengthened. Network segmentation has been increased to 
restrict access from internet facing systems to backend databases and data 
stores. Additional web application firewalls have been deployed, and tuning 
signatures designed to block attacks have been added. Deployment of file 
integrity monitoring technologies on application and web servers has been 
accelerated. The company is also implementing additional network, 
application, database, and system-level logging. These are just a few of the 
steps Equifax has taken in recent weeks to shore up its security protocols. 

Importantly, Equifax’s forensic consultants have recommended a series of 
improvements that are being installed over the next 30, 60, and 90 day 
periods, which the company was in the process of implementing at the time 
of my retirement. In addition, at my direction a well-known, independent 
expert consulting firm (in addition to and different from Mandiant) has been 
retained to perform a top-to-bottom assessment of the company’s 
information security systems. 525 

Susan Mauldin testified about Mandiant’s eleven remediation recommendations. She 

stated: 

A. So, yes, several of these were underway and were things that we 
were already working on with security program. Some of these got 
accelerated and . . . were able to, it looks like, get a boost as a result 
of having Mandiant and additional resources to get those 
implemented. 

Q. When you say accelerated, is that accelerated as of July 2017 or prior 
to that? 

A. What I was referring to is, after Mandiant came in to assist with the 
investigation, they were able to add resources to help us get some of 
these things finished more quickly than we would have done in our 
. . . own natural timeline. 526 

In another portion of her testimony, Mauldin testified about an email from one of her 
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direct reports detailing security concerns with the ACIS environment. 527 Most of these security 
concerns match up with one of Mandiant’s remedial recommendations. For example, Mauldin’s 
employee found the lack of segmentation between the application servers and the rest of the 
network could allow an attacker to gain control of the application server and pivot anywhere else 
on the Equifax network. 528 This corresponds to Mandiant’s recommendation to enhance network 
segmentation. 529 The employee found the lack of file integrity monitoring presented a security 
issue for Equifax. 530 This corresponds to Mandiant’s recommendation to accelerate deployment 
of file integrity monitoring technologies. 531 The same employee found the short duration for 
which web server logging was kept posed a challenge to reconstructing malicious activity. 532 
Mandiant recommended enforcing additional logging in its seventh recommendation. 533 

David Webb confirmed several of Mandiant’s recommendations were underway prior to 
the breach. He stated: 

There were significant efforts underway, really to overhaul the entire 
infrastructure. So, as I mentioned earlier, we had - it was a project called 
Bluebird, and it was really a software-defined data center which was 
addressing many of these things. And, again, the intent was to address these 
issues as part of that infrastructure overhaul. 534 

In August 2018, Mandiant and Equifax officials confirmed Equifax implemented all 
eleven of the remedial recommendations. 535 

B. 2018 Consent Order with State Regulatory Agencies 

In addition to the remedial recommendations from Mandiant, on June 25, 2018, Equifax 
agreed to take several actions under a Consent Order entered into with regulatory agencies from 
eight states. Under the 2018 Consent Order, Equifax agreed its Board of Directors would 
approve a written risk assessment within 90 days containing: (1) foreseeable threats and 
vulnerabilities to PII; (2) likelihood of threats; (3) potential damage to business operations; and 
(4) safeguards and mitigating controls addressing each threat and vulnerability. 536 Within 30 days 
of the 2018 Consent Order, Equifax had to improve its audit function and establish a formal and 
documented internal audit program capable of evaluating information technology controls. 537 
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Equifax agreed to improve oversight of its information security program within 90 days 
by, among other things, reviewing and approving information technology and information 
security policies. 538 Within this same timeframe, Equifax agreed to improve oversight of critical 
vendors to ensure information is safeguarded. 539 

The 2018 Consent Order required Equifax to improve the standards and controls for 
patch management. 540 The 2018 Consent Order stipulated, “[a]n effective patch management 
program must be implemented to reduce the number of unpatched systems and instances of 
extended patching time frames.” 541 To do so, Equifax agreed to: (1) develop a comprehensive 
information technology asset inventory; (2) formalize a process to routinely identify necessary 
patches; (3) create an action plan for decommissioning legacy systems; and (4) formalize its 
Patch Management Policy. 542 

The 2018 Consent Order patch management action items mirror the first remedial 
recommendation from Mandiant, recommending Equifax enhance its patch management 
procedures and processes. 543 Several items in the 2018 Consent Order also mirror 
recommendations from a 2015 internal patch management audit at Equifax. 544 The 2015 audit 
recommended retiring legacy systems as quickly as possible, implementing automated tools to 
patch systems in a timely manner, creating a proactive patching program, and putting together a 
comprehensive IT asset inventory. 545 

Equifax agreed in the 2018 Consent Order to increase the oversight of the disaster 
recovery and business continuity functions of IT operations. 546 Equifax must provide written 
reports detailing its progress towards compliance with the Consent Order. 547 

Regarding the 2018 Consent Order, Graeme Payne testified: 

I did see the state [Attorneys General] settlement they had and read all the 
things they committed to, and I wish them good luck, because there’s a lot 
in there that is going to require a lot of investment and a lot of effort to build 
the things I think that they agreed to do in that. 548 

C. GAO Findings 

On August 30, 2018, GAO published a report detailing Equifax’s information security 
remediation activities to date. Following the breach, GAO found Equifax took both system-level 
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remediation measures and broader programmatic measures. 549 The GAO draft report findings 
were based on public Equifax SEC filings and information provided to GAO by Equifax 
officials. 

Equifax put in place system-level remediation measures to address the weaknesses that 
led to the breach. In the GAO report, Equifax officials identified five major areas of weaknesses 
which contributed to the breach: 

1. Software updates; 

2. Software configuration; 

3. Access controls; 

4. Network monitoring; and 

5. Boundary protection. 550 

To address the fact software updates were not properly managed leading to the Apache 
Struts patch not being applied, GAO wrote “Equifax reportedly implemented a new management 
process to identify and patch software vulnerabilities and confirm that vulnerabilities had been 
addressed.” 551 To address weak configuration management, which prevented scanning tools from 
detecting the Apache Struts vulnerability, GAO reported “Equifax stated that they upgraded or 
eliminated vulnerable legacy systems and implemented a new endpoint security system to detect 
misconfigurations, evaluate potential indications of compromise, and automatically notify 
system administrators of identified vulnerabilities.” 552 Equifax agreed to address weak access 
controls which allowed the intruders to run numerous queries and access files with PII by 
implementing “a new security controls framework and tighter controls on accessing specific 
systems, applications, and networks.” 553 

According to GAO, a misconfigured monitoring device allowed encrypted web traffic to 
go uninspected through the Equifax network. 554 To prevent this from happening again, GAO 
reported Equifax developed new policies and implemented new tools to ensure network traffic is 
monitored continuously. 555 To address weak boundary protections, which allowed access to the 
various databases, Equifax implemented additional controls at its external boundary to monitor 
communications and further restricted traffic between internal servers. 556 


549 DRAFT GAO Equifax Data Breach Report at 18-19 (August 2018) (on file with the Committee). Five areas were 
initially identified and then later revised in the final GAO Report. 

550 Id. at 17. 

551 Id. 

552 Id. 

553 Id. 

554 Id. at 13-14. GAO reported the misconfiguration was due to SSL certificates which had expired ten months 
before the breach occurred. However, documents show the certificates were expired for approximately 19 months 
prior to the breach. See infra. Chapter 3, subsection B. 

555 DRAFT GAO Equifax Data Breach Report at 13-14. 

556 Id. 
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According to GAO, Equifax implemented broader programmatic measures. One of these 
measures was changing the reporting structure of the CSO. 557 The CISO (formerly known as the 
CSO) now reports directly to the CEO to allow for greater visibility into cybersecurity risks by 
top management. 558 

D. Remediation Steps Reported to SEC 

Equifax’s 2017 annual SEC (10-K) filing shows the company has taken a variety of 
remediation steps to address the weaknesses identified during the breach investigation. 559 In its 
10-K filing, Equifax stated, “The Company has taken and continues to take extensive steps 
designed to prevent this type of incident from happening again and to earn back the trust of 
consumers, customers and regulators.” 560 The report continued: 

Following the cybersecurity incident, we began undertaking significant 
steps to enhance our data security infrastructure. In connection with these 
efforts, we have incurred significant costs and expect to incur additional 
significant costs as we take further steps to prevent unauthorized access to 
our systems and the data we maintain. The actions we have taken are based 
on our investigation of the causes of the cybersecurity incident, but there 
will be additional changes needed to prevent a similar incident. We have 
also enhanced our disclosure controls and procedures and related protocols 
to specifically provide that cyber incidents are promptly escalated and 
investigated and reported to senior management, and where appropriate, to 
the Board of Directors. We also engaged an independent outside consulting 
firm to help us with both strategic remediation activities and to review our 
cybersecurity framework, our controls framework and our management and 
employees’ roles and responsibilities. 561 

E. Equifax’s Updated Approach to Cybersecurity 

In its 2018 Annual Proxy Statement to investors, Equifax reported on how its Board of 
Directors was enhancing Board oversight in an effort to strengthen Equifax’s cybersecurity 
posture. 562 The enhanced Board oversight includes (see Figure 14): 


557 Id. 

558 Id. 

559 Equifax, 2017 Annual Report (Form 10-K) (Mar. 1, 2018), https://investor.equifax.com/~/media/Files/E/Equifax- 
IR/Annual%20Reports/2017-annual-report.pdf. 

560 Id. at 3. 

561 Id. 

562 Equifax, Notice of 2018 Annual Meeting and Proxy Statement 27 (2018), 

https://investor.equifax.eom/~/media/Files/E/Equifax-IR/Annual%20Reports/2018-proxy-statement-web.pdf. 
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— • Heightened Board-Level Engagement 

Since the cytaersecxity incident was *rst reported to the Board, the Board and its ccmmttees have met ewer 75 tmes, 
in addten to numerous rfarmal update sessions, reflecting the intense focus of the Board on matters related to tie 
cybersecurty incident. 

We implemented enhanced Board-level engagement on cybersecurry, with haghtened Board attention to cyberseaxity risks 
and trends and the Company's approach to managing these risks. 

— • Broadened Technology Committee Responsibilities 

The Board broadened the Technology Committees scope to apecrcaly ndude oweraght of cyOersecurty and technology- 
rested nsks and rranagement's efforts to monitor and mitigate those risks. In addition, the Board sbuesured the Technology 
Committee's oversight of data in a manner more simiar to the Audit Committee's orersight of the Company's fhanaal risks. 

As contemplated under its revised charter, the Technology Comrmaee imI engage an independent cybersecunty eoepert in 
order to gather maght on data secuity and technology ssues and assees security remediation eflorts wnn the Company. 

— • Formed Special Committee 

The Board formed a Special Committee r September 2017 to conduct an independent revwv of the cybersecurry incident, 
the Company's response to it and at naarant do kiss and pracboes. See ‘Ftaxy Summery—How Equifax is Working to Regain 
Your Trust' on page 9 and ‘Review of Tracing in Equiax Securities' on page 12. 

— • Enhanced Cybersecurity Defenses 

We corenueto take sign heart si are to enhance our data security nhastrjclure 3r>d defenses. These enharcemerts ndude n«v 
and improved teemea cortroe and procedires, the addtional use of outside third party experts as wel as personnel changes. 
The personnel changes ndude hiring a new Chief Irriomaticr Security Oficer and addng other new seaxrty department personnel. 

— • Enhanced Risk Escalation and Disclosure Controls 

We enhanced otx nsk escaation processes to support rapid escaaton and ntemal reification of cybersecunty incidents. 

We have asc enhanced our dsdosure control and procedures and related protocols to speafcaly provide that cybersecxity 
incidents are promptly escslsced and nvestgated and reported to senior management, and vnere appropriate, to the Board 
of Dreoors 

— • Implemented Changes to ERM Program 

As noted above, we are in the process of implementing a new ERM tamewerk based on the three ines cf defense model for 
estabishing effective checks and baances. which is used by eadng financial institutions. 

Figure 14: Equifax Board of Directors Enhanced Oversight Plan 


Equifax has increased IT and cybersecurity spending post-breach. In November 2017, 
interim CEO Paulino do Rego Barros stated Equifax increased security spending fourfold since 
the breach was discovered. 563 Equifax reported $221.5 million in costs related to the 
cybersecurity incident through the first nine months of 2018 (see Figure 15). 564 



Three Months Ended 

Nine Months Ended 

(in millions) 

September 30, 2018 

September 30, 2018 

Technology and data security 

$ 

92.6 

$ 

193.2 

Legal and investigative fees 


16.1 


61.4 

Product liability 


7.8 


11.9 

Insurance recoveries 


— 


(45.0) 

Total 

$ 

116.5 

$ 

221.5 


Figure 15: 2018 Equifax Costs Related to Cybersecurity Incident 


563 Jennifer Surane, Equifax Is Haunted By Its Costly Cyber Attack, BLOOMBERG (Nov. 9, 2017), 
https://www.bloomberg.com/news/articles/2017-l 1-09/equifax-haunted-by-cyber-attack-as-costs-jump-lawsuits- 
abound. 

564 Press Release, Equifax, Equifax Releases Third Quarter 2018 Results (Oct. 24, 2018), 
https://www.prnewswire.com/news-releases/equifax-releases-third-quarter-2018-results-300737406.html. 
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Comparatively, Susan Mauldin testified the annual budget for the Security team at the 
time she left Equifax in September 2017 was $38 million. 565 

F. Equifax Officials on Remediation 

Following his appointment as Equifax’s new CEO, Mark Begor told news outlets, “We 
didn’t have the right defenses in place, but we are investing in the business to protect this from 
ever happening again.” 566 All three witnesses the Committee interviewed stated they believed 
Equifax properly invested in security. 567 When asked about Begor’s quote, Payne stated: 

I think - look, there were a lot of gaps, I think . . . that we were aware of 
and we were working on, right? So ... it wasn’t a matter of not having 
defenses in place. I think it was ... a lot of the right things were being done. 

The problem was they weren’t necessarily comprehensive enough, right? 

We had an asset inventory, yes, but it wasn’t comprehensive. We had a 
patching process, but it didn’t - it wasn’t thorough enough, or it wasn’t 
comprehensive enough. It didn’t - we had notifications, but we didn’t 
notify the people - everyone that needed to be notified . . . [W]e had 
scanning, but it didn’t scan all the things ... so it’s not as if those defenses 
weren’t in place. 568 

Webb stated Equifax’s failure to prevent this data breach was not a spending issue, but 
rather it was a failure of execution. He testified: 

A. Again, at the end of the day, we were spending a significant amount 
of dollars. We had the tools and the capabilities. Whether the people 
and process components were working is the thing that needs to be 
evaluated, not the spend. 

Q. Right, but if you were spending appropriately on the IT and security, 
why didn’t any of the security tools that you had detect this 
cyberattack? 

A. The tools also require people and process to operate and to function 
properly. 569 


565 Mauldin Transcribed Interview at 16. 

566 Ken Sweet, Equifax Hires Financial Executive Mark Begor as New CEO, U.S. News (March 28, 2018), 
https://www.usnews.com/news/business/articles/2018-03-28/equifax-names-mark-begor-as-its-ceo. 

567 See Mauldin Transcribed Interview at 150; Payne Transcribed Interview at 158-159; Webb Transcribed Interview 
at 15-16. 

568 Payne Transcribed Interview at 151. 

569 Webb Transcribed Interview at 57. 
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Mauldin testified about what Equifax could have done better to prevent the breach. She 


stated: 


I think we had a lot of good work. This was a very unfortunate incident, and 
I know I deeply regret it, as many do. But I think it just simply - for me, it 
underscores the importance of staying aware and staying vigilant, staying 
ahead of the threat actor. They are so sophisticated and so well-funded that 
every company has to be continuously on its toes and pushing ahead . . . 
vigorously to get things done, get plans completed, and so forth. It just 
underscores the importance of that for me. 570 


570 Mauldin Transcribed Interview at 142-43. 
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VII. Recommendations 


Recommendation 1: Empower Consumers through Transparency 

Consumer reporting agencies should provide more transparency to consumers on what data is 
collected and how it is used. A large amount of the public’s concern after Equifax’s data breach 
announcement stemmed from the lack of knowledge regarding the extensive data CRAs hold on 
individuals. CRAs must invest in and deploy additional tools to empower consumers to better 
control their own data. For example, CRAs should offer consumers a free, simple summary 
explaining the data collected on the individual. The summary should include the number of times 
the CRA provided their data to a business within the last year. The summary should be available 
for consumers to view at any time, outside of the annual free credit report offer. This would 
allow consumers to track the information CRAs have on them and know how often their 
information was being shared. Credit report locks and freezes give consumers increased control 
of their data. CRAs are required to offer free credit freezes to all consumers. 571 None of these 
transparency measures, including credit freezes, should require a consumer to sign up for 
additional services or make any other commitment. 

Recommendation 2: Review Sufficiency of FTC Oversight and Enforcement Authorities 

Currently, the FTC uses statutory authority under Section 5 of the Federal Trade Commission 
Act to hold businesses accountable for making false or misleading claims about their data 
security or failing to employ reasonable security measures. Additional oversight authorities and 
enforcement tools may be needed to enable the FTC to effectively monitor CRA data security 
practices, both prior and subsequent to a breach occurring, and incentivize CRAs to adequately 
safeguard the consumer data they store. 

Recommendation 3: Review Effectiveness of Identity Monitoring and Protection Services 
Offered to Breach Victims 

GAO should examine the effectiveness of current identity monitoring and protection services and 
provide recommendations to Congress. In particular, GAO should review the length of time that 
credit monitoring and protection services are needed after a data breach to mitigate identity theft 
risks. Equifax offered free credit monitoring and protection services for one year to any 
consumer who requested it. A variety of opinions were provided to the Committee about both the 
value of credit monitoring services and the recommended length of time the protection should be 
provided. This GAO study would help clarify the value of credit monitoring services and the 
length of time such services should be maintained. The GAO study should examine alternatives 
to credit monitoring services and identify additional or complimentary services to enhance the 
protections offered by credit monitoring services. 


571 The Economic Growth, Regulatory Relief, and Consumer Protection Act, Pub. L. No. 115-174 (2018). 
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Recommendation 4: Increase Transparency of Cyber Risk in Private Sector 


Federal agencies and the private sector should work together to increase transparency of a 
company’s cybersecurity risks and steps taken to mitigate such risks. One example of how a 
private entity can increase transparency related to the company’s cyber risk is by making 
disclosures in its SEC filings. In 2011, the SEC developed guidance to assist companies in 
disclosing cybersecurity risks and incidents. According to the SEC guidance, if cybersecurity 
risks or incidents are “sufficiently material to investors” a private company may be required to 
disclose the information in registration statements, financial statements, and 8-K forms. Equifax 
did not disclose any cybersecurity risks or cybersecurity incidents in its SEC filings prior to the 
2017 data breach. Federal agencies, such as the SEC, should continue to encourage the public 
disclosure of cyber risks to increase awareness of a company’s cybersecurity posture. 

Recommendation 5: Hold Federal Contractors Accountable for Cybersecurity with Clear 
Requirements 

The Equifax data breach and federal customers’ use of Equifax identity validation services 
highlight the need for the federal government to be vigilant in mitigating cybersecurity risk in 
federal acquisition. The Office of Management and Budget (OMB) should continue efforts to 
develop a clear set of requirements for federal contractors to address increasing cybersecurity 
risks, particularly as it relates to handling of PII. There should be a government-wide framework 
of cybersecurity and data security risk-based requirements. 

In 2016, the Committee urged OMB to focus on improving and updating cybersecurity 
requirements for federal acquisition. 572 Notably, several acquisition rules and clauses were 
finalized in 2016 to address cybersecurity requirements for federal contractors. 573 The National 
Archives and Records Administration (NARA) finalized a rule providing direction to agencies 
on how to handle and secure Controlled Unclassified Information (CUI), such as PII. 574 The CUI 
program was established to standardize processing and handling of unclassified sensitive types of 
information agencies and their contractors handle. In March 2019, a notice of proposed 
rulemaking for the related acquisition rule with contract clauses for CUI handling is expected. 575 
The Committee again urges OMB to expedite development of a long-promised cybersecurity 
acquisition memorandum to provide guidance to federal agencies and acquisition 
professionals. 576 


572 Majority Staff of H. Comm, on Oversight & Gov’t Reform, 1 14th Cong., The OPM Data Breach: How 
the Government Jeopardized Our National Security for More than a Generation 24 (Comm. Print 2016). 

573 81 Fed. Reg. 30,439 (May 16, 2016); see also 81 Fed. Reg. 72,986 (Oct. 21, 2016). 

574 81 Fed. Reg. 63,324 (Sept. 14, 2016); CUI Category: Sensitive Personally Identifiable Information, NARA, 
https://www.archives.gov/cui/registry/category-detail/sensitive-personally-identifiable-info (last visited Nov. 4, 
2018). 

575 Federal Acquisition Regulation; FAR Case 2017-016, Controlled Unclassified Information (RIN: 9000-AN56), 
Office of Information and Regulatory Affairs, 

https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=201810&RIN=9000-AN56 (last visited Nov. 4, 

2018). 

576 See Letter from Mick Mulvaney, Director, Office of Mgmt. & Budget, to Will Hurd, Chairman, Subcomm. on 
Info. Tech., H. Comm, on Oversight & Gov’t Reform (July 24, 2017) (on file with Committee). 
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In the interim, federal agencies should use existing tools to hold contractors accountable for 
cybersecurity. For example, agencies should consider proactively conducting oversight of 
contractors’ cybersecurity practices/risk, examining contractors’ past performance information, 
building cybersecurity requirements into evaluation factors, and using the suspension and 
debarment mechanism. Equifax provided identity verification services to three federal agencies 
and these agencies took action in the aftermath of the data breach. 577 The Internal Revenue 
Service (IRS), Social Security Administration (SSA), and the U.S. Postal Service (USPS) all 
made site visits to Equifax’s data center in Alpharetta, GA to review security controls. 578 SSA 
assessed Equifax’s compliance with NIST security baseline controls and shared this information 
with the IRS and USPS. 579 

Recommendation 6: Reduce Use of Social Security Numbers as Personal Identifiers 

The executive branch should work with the private sector to reduce reliance on Social Security 
numbers. Social Security numbers are widely used by the public and private sector to both 
identify and authenticate individuals. Authenticators are only useful if they are kept confidential. 
Attackers stole the Social Security numbers of an estimated 145 million consumers from 
Equifax. As a result of this breach, nearly half of the country’s Social Security numbers are no 
longer confidential. To better protect consumers from identity theft, OMB and other relevant 
federal agencies should pursue emerging technology solutions as an alternative to Social Security 
number use. 

Recommendation 7: Implement Modernized IT Solutions 

Companies storing sensitive consumer data should transition away from legacy IT and 
implement modern IT security solutions. Equifax failed to modernize its IT environments in a 
timely manner. The complexity of the legacy IT environment hosting the ACIS application 
allowed the attackers to move throughout the Equifax network and obtain access to unrelated 
consumer PII. Equifax’s legacy IT was difficult to scan, patch, and modify. The Committee has 
emphasized the important security benefits of modernized IT solutions for federal agencies. The 
Committee passed the Modernizing Government Technology Act to incentivize federal agencies’ 
implementation of new technology by allowing agencies to reinvest IT modernization savings. 
Private sector companies, especially those holding sensitive consumer data like Equifax, must 
prioritize investment in modernized tools and technologies. 


577 GAO Equifax Data Breach Report at 18. 

578 Id. at 22-23. 

579 Id. 
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